From 2051e164957bba42cc11d9f6a8293ab5f62c638c Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 12 Jul 2023 12:09:44 -0400 Subject: [PATCH 1/4] [Security Rules] Update security rules package to v8.7.9-beta.1 (#6940) * [Security Rules] Update security rules package to v8.7.9-beta.1 * Add changelog entry for 8.7.9-beta.1 --- .../security_detection_engine/changelog.yml | 5 + .../000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json | 83 ------ ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json | 86 ++++++ ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json | 83 ++++++ .../00140285-b827-4aee-aa09-8113f58a08f3.json | 117 --------- ...40285-b827-4aee-aa09-8113f58a08f3_105.json | 117 +++++++++ ...40285-b827-4aee-aa09-8113f58a08f3_106.json | 118 +++++++++ ...40285-b827-4aee-aa09-8113f58a08f3_107.json | 117 +++++++++ .../0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json | 97 ------- ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json | 99 +++++++ ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json | 98 +++++++ ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json | 97 +++++++ .../00678712-b2df-11ed-afe9-f661ea17fbcc.json | 87 ------ ...0678712-b2df-11ed-afe9-f661ea17fbcc_1.json | 89 +++++++ ...0678712-b2df-11ed-afe9-f661ea17fbcc_2.json | 87 ++++++ .../0136b315-b566-482f-866c-1d8e2477ba16.json | 90 ------- ...6b315-b566-482f-866c-1d8e2477ba16_101.json | 92 +++++++ ...6b315-b566-482f-866c-1d8e2477ba16_102.json | 90 +++++++ .../015cca13-8832-49ac-a01b-a396114809f6.json | 81 ------ ...cca13-8832-49ac-a01b-a396114809f6_102.json | 84 ++++++ ...cca13-8832-49ac-a01b-a396114809f6_103.json | 81 ++++++ .../0171f283-ade7-4f87-9521-ac346c68cc9b.json | 105 -------- ...171f283-ade7-4f87-9521-ac346c68cc9b_1.json | 105 ++++++++ .../027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json | 91 ------- ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json | 92 +++++++ ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json | 91 +++++++ .../02a23ee7-c8f8-4701-b99d-e9038ce313cb.json | 111 -------- ...2a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json | 112 ++++++++ ...2a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json | 111 ++++++++ .../02a4576a-7480-4284-9327-548a806b5e48.json | 94 ------- ...4576a-7480-4284-9327-548a806b5e48_103.json | 95 +++++++ ...4576a-7480-4284-9327-548a806b5e48_104.json | 94 +++++++ ...4576a-7480-4284-9327-548a806b5e48_106.json | 94 +++++++ .../02ea4563-ec10-4974-b7de-12e65aa4f9b3.json | 85 ------ ...a4563-ec10-4974-b7de-12e65aa4f9b3_102.json | 86 ++++++ ...a4563-ec10-4974-b7de-12e65aa4f9b3_103.json | 85 ++++++ .../03024bd9-d23f-4ec1-8674-3cf1a21e130b.json | 89 ------- ...24bd9-d23f-4ec1-8674-3cf1a21e130b_101.json | 91 +++++++ ...24bd9-d23f-4ec1-8674-3cf1a21e130b_102.json | 89 +++++++ .../035889c4-2686-4583-a7df-67f89c292f2c.json | 98 ------- ...889c4-2686-4583-a7df-67f89c292f2c_104.json | 99 +++++++ ...889c4-2686-4583-a7df-67f89c292f2c_105.json | 98 +++++++ .../0415f22a-2336-45fa-ba07-618a5942e22c.json | 145 ---------- ...5f22a-2336-45fa-ba07-618a5942e22c_103.json | 146 +++++++++++ ...5f22a-2336-45fa-ba07-618a5942e22c_104.json | 145 ++++++++++ .../041d4d41-9589-43e2-ba13-5680af75ebc2.json | 84 ------ ...d4d41-9589-43e2-ba13-5680af75ebc2_103.json | 85 ++++++ ...d4d41-9589-43e2-ba13-5680af75ebc2_104.json | 84 ++++++ .../04c5a96f-19c5-44fd-9571-a0b033f9086f.json | 88 ------- ...5a96f-19c5-44fd-9571-a0b033f9086f_101.json | 90 +++++++ ...5a96f-19c5-44fd-9571-a0b033f9086f_102.json | 88 +++++++ .../053a0387-f3b5-4ba5-8245-8002cca2bd08.json | 104 -------- ...a0387-f3b5-4ba5-8245-8002cca2bd08_104.json | 105 ++++++++ ...a0387-f3b5-4ba5-8245-8002cca2bd08_105.json | 104 ++++++++ .../0564fb9d-90b9-4234-a411-82a546dc1343.json | 94 ------- ...4fb9d-90b9-4234-a411-82a546dc1343_104.json | 95 +++++++ ...4fb9d-90b9-4234-a411-82a546dc1343_105.json | 94 +++++++ .../05b358de-aa6d-4f6c-89e6-78f74018b43b.json | 94 ------- ...358de-aa6d-4f6c-89e6-78f74018b43b_104.json | 95 +++++++ ...358de-aa6d-4f6c-89e6-78f74018b43b_105.json | 94 +++++++ .../05e5a668-7b51-4a67-93ab-e9af405c9ef3.json | 83 ------ ...5a668-7b51-4a67-93ab-e9af405c9ef3_103.json | 84 ++++++ ...5a668-7b51-4a67-93ab-e9af405c9ef3_104.json | 83 ++++++ .../0635c542-1b96-4335-9b47-126582d2c19a.json | 101 ------- ...5c542-1b96-4335-9b47-126582d2c19a_105.json | 102 +++++++ ...5c542-1b96-4335-9b47-126582d2c19a_106.json | 102 +++++++ ...5c542-1b96-4335-9b47-126582d2c19a_107.json | 101 +++++++ .../06568a02-af29-4f20-929c-f3af281e41aa.json | 93 ------- ...6568a02-af29-4f20-929c-f3af281e41aa_2.json | 94 +++++++ ...6568a02-af29-4f20-929c-f3af281e41aa_3.json | 93 +++++++ .../06a7a03c-c735-47a6-a313-51c354aef6c3.json | 102 ------- ...6a7a03c-c735-47a6-a313-51c354aef6c3_2.json | 103 ++++++++ ...6a7a03c-c735-47a6-a313-51c354aef6c3_3.json | 102 +++++++ .../06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json | 92 ------- ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json | 93 +++++++ ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json | 93 +++++++ ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json | 92 +++++++ .../074464f9-f30d-4029-8c03-0ed237fffec7.json | 98 ------- ...464f9-f30d-4029-8c03-0ed237fffec7_104.json | 99 +++++++ ...464f9-f30d-4029-8c03-0ed237fffec7_105.json | 98 +++++++ .../0787daa6-f8c5-453b-a4ec-048037f6c1cd.json | 95 ------- ...787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json | 95 +++++++ .../07b1ef73-1fde-4a49-a34a-5dd40011b076.json | 106 -------- ...7b1ef73-1fde-4a49-a34a-5dd40011b076_3.json | 107 ++++++++ ...7b1ef73-1fde-4a49-a34a-5dd40011b076_4.json | 106 ++++++++ .../07b5f85a-240f-11ed-b3d9-f661ea17fbce.json | 92 ------- ...5f85a-240f-11ed-b3d9-f661ea17fbce_104.json | 94 +++++++ ...5f85a-240f-11ed-b3d9-f661ea17fbce_105.json | 95 +++++++ ...5f85a-240f-11ed-b3d9-f661ea17fbce_106.json | 92 +++++++ .../080bc66a-5d56-4d1f-8071-817671716db9.json | 105 -------- ...bc66a-5d56-4d1f-8071-817671716db9_102.json | 106 ++++++++ ...bc66a-5d56-4d1f-8071-817671716db9_103.json | 105 ++++++++ .../082e3f8c-6f80-485c-91eb-5b112cb79b28.json | 98 ------- ...e3f8c-6f80-485c-91eb-5b112cb79b28_102.json | 99 +++++++ ...e3f8c-6f80-485c-91eb-5b112cb79b28_103.json | 98 +++++++ .../083fa162-e790-4d85-9aeb-4fea04188adb.json | 116 -------- ...fa162-e790-4d85-9aeb-4fea04188adb_102.json | 117 +++++++++ ...fa162-e790-4d85-9aeb-4fea04188adb_103.json | 116 ++++++++ .../0859355c-0f08-4b43-8ff5-7d2a4789fc08.json | 114 -------- ...859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json | 114 ++++++++ .../092b068f-84ac-485d-8a55-7dd9e006715f.json | 106 -------- ...b068f-84ac-485d-8a55-7dd9e006715f_102.json | 107 ++++++++ ...b068f-84ac-485d-8a55-7dd9e006715f_103.json | 106 ++++++++ .../09443c92-46b3-45a4-8f25-383b028b258d.json | 98 ------- ...43c92-46b3-45a4-8f25-383b028b258d_103.json | 99 +++++++ ...43c92-46b3-45a4-8f25-383b028b258d_104.json | 98 +++++++ .../09d028a5-dcde-409f-8ae0-557cef1b7082.json | 87 ------ ...028a5-dcde-409f-8ae0-557cef1b7082_101.json | 89 +++++++ ...028a5-dcde-409f-8ae0-557cef1b7082_102.json | 87 ++++++ .../0a97b20f-4144-49ea-be32-b540ecc445de.json | 55 ---- ...7b20f-4144-49ea-be32-b540ecc445de_100.json | 56 ++++ ...7b20f-4144-49ea-be32-b540ecc445de_101.json | 55 ++++ .../0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json | 56 ---- ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json | 56 ++++ ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json | 56 ++++ ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json | 56 ++++ .../0b2f3da5-b5ec-47d1-908b-6ebb74814289.json | 101 ------- ...f3da5-b5ec-47d1-908b-6ebb74814289_105.json | 106 ++++++++ ...f3da5-b5ec-47d1-908b-6ebb74814289_106.json | 101 +++++++ ...f3da5-b5ec-47d1-908b-6ebb74814289_107.json | 101 +++++++ .../0c41e478-5263-4c69-8f9e-7dfd2c22da64.json | 139 ---------- ...c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json | 139 ++++++++++ .../0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json | 91 ------- ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json | 92 +++++++ ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json | 91 +++++++ .../0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json | 231 ---------------- ...a14d9-d65d-486f-9b5b-91e4e6b22bd0_103.json | 235 +++++++++++++++++ ...a14d9-d65d-486f-9b5b-91e4e6b22bd0_104.json | 230 ++++++++++++++++ ...a14d9-d65d-486f-9b5b-91e4e6b22bd0_204.json | 231 ++++++++++++++++ .../0ce6487d-8069-4888-9ddd-61b52490cebc.json | 98 ------- ...6487d-8069-4888-9ddd-61b52490cebc_101.json | 100 +++++++ ...6487d-8069-4888-9ddd-61b52490cebc_102.json | 98 +++++++ .../0d160033-fab7-4e72-85a3-3a9d80c8bff7.json | 61 ----- ...d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json | 62 +++++ ...d160033-fab7-4e72-85a3-3a9d80c8bff7_3.json | 61 +++++ .../0d69150b-96f8-467c-a86d-a67a3378ce77.json | 84 ------ ...9150b-96f8-467c-a86d-a67a3378ce77_103.json | 85 ++++++ ...9150b-96f8-467c-a86d-a67a3378ce77_104.json | 84 ++++++ .../0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json | 121 --------- ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json | 122 +++++++++ ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json | 121 +++++++++ .../0e52157a-8e96-4a95-a6e3-5faae5081a74.json | 83 ------ ...2157a-8e96-4a95-a6e3-5faae5081a74_101.json | 86 ++++++ ...2157a-8e96-4a95-a6e3-5faae5081a74_102.json | 83 ++++++ .../0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json | 81 ------ ...acaae-6a64-4bbc-adb8-27649c03f7e1_103.json | 83 ++++++ ...acaae-6a64-4bbc-adb8-27649c03f7e1_104.json | 81 ++++++ .../0e79980b-4250-4a50-a509-69294c14e84b.json | 94 ------- ...9980b-4250-4a50-a509-69294c14e84b_102.json | 93 +++++++ ...9980b-4250-4a50-a509-69294c14e84b_103.json | 95 +++++++ ...9980b-4250-4a50-a509-69294c14e84b_104.json | 94 +++++++ .../0f4d35e4-925e-4959-ab24-911be207ee6f.json | 99 ------- ...f4d35e4-925e-4959-ab24-911be207ee6f_1.json | 105 ++++++++ ...d35e4-925e-4959-ab24-911be207ee6f_103.json | 99 +++++++ .../0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json | 102 ------- ...3cb9a-1931-48c2-8cd0-f173fd3e5283_103.json | 103 ++++++++ ...3cb9a-1931-48c2-8cd0-f173fd3e5283_104.json | 102 +++++++ ...3cb9a-1931-48c2-8cd0-f173fd3e5283_106.json | 102 +++++++ .../0ff84c42-873d-41a2-a4ed-08d74d352d01.json | 92 ------- ...84c42-873d-41a2-a4ed-08d74d352d01_102.json | 93 +++++++ ...84c42-873d-41a2-a4ed-08d74d352d01_103.json | 92 +++++++ .../10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json | 93 ------- ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json | 94 +++++++ ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json | 93 +++++++ .../11013227-0301-4a8c-b150-4db924484475.json | 85 ------ ...13227-0301-4a8c-b150-4db924484475_103.json | 90 +++++++ ...13227-0301-4a8c-b150-4db924484475_104.json | 85 ++++++ .../1160dcdb-0a0a-4a79-91d8-9b84616edebd.json | 90 ------- ...0dcdb-0a0a-4a79-91d8-9b84616edebd_103.json | 91 +++++++ ...0dcdb-0a0a-4a79-91d8-9b84616edebd_104.json | 90 +++++++ .../1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json | 101 ------- ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json | 102 +++++++ ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json | 102 +++++++ ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json | 101 +++++++ .../119c8877-8613-416d-a98a-96b6664ee73a.json | 82 ------ ...c8877-8613-416d-a98a-96b6664ee73a_102.json | 85 ++++++ ...c8877-8613-416d-a98a-96b6664ee73a_103.json | 82 ++++++ .../11dd9713-0ec6-4110-9707-32daae1ee68c.json | 124 --------- ...1dd9713-0ec6-4110-9707-32daae1ee68c_4.json | 120 +++++++++ ...1dd9713-0ec6-4110-9707-32daae1ee68c_5.json | 125 +++++++++ ...1dd9713-0ec6-4110-9707-32daae1ee68c_6.json | 124 +++++++++ .../11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json | 107 -------- ...a6bec-ebde-4d71-a8e9-784948f8e3e9_104.json | 93 +++++++ ...a6bec-ebde-4d71-a8e9-784948f8e3e9_105.json | 108 ++++++++ ...a6bec-ebde-4d71-a8e9-784948f8e3e9_106.json | 107 ++++++++ .../12051077-0124-4394-9522-8f4f4db1d674.json | 98 ------- ...51077-0124-4394-9522-8f4f4db1d674_102.json | 100 +++++++ ...51077-0124-4394-9522-8f4f4db1d674_103.json | 98 +++++++ .../128468bf-cab1-4637-99ea-fdf3780a4609.json | 104 -------- ...28468bf-cab1-4637-99ea-fdf3780a4609_2.json | 105 ++++++++ ...28468bf-cab1-4637-99ea-fdf3780a4609_3.json | 104 ++++++++ ...28468bf-cab1-4637-99ea-fdf3780a4609_5.json | 104 ++++++++ .../12a2f15d-597e-4334-88ff-38a02cb1330b.json | 92 ------- ...2f15d-597e-4334-88ff-38a02cb1330b_201.json | 94 +++++++ ...2f15d-597e-4334-88ff-38a02cb1330b_202.json | 92 +++++++ .../12cbf709-69e8-4055-94f9-24314385c27e.json | 108 -------- ...bf709-69e8-4055-94f9-24314385c27e_201.json | 110 ++++++++ ...bf709-69e8-4055-94f9-24314385c27e_202.json | 108 ++++++++ .../12f07955-1674-44f7-86b5-c35da0a6f41a.json | 90 ------- ...07955-1674-44f7-86b5-c35da0a6f41a_104.json | 91 +++++++ ...07955-1674-44f7-86b5-c35da0a6f41a_105.json | 90 +++++++ .../1327384f-00f3-44d5-9a8c-2373ba071e92.json | 95 ------- ...7384f-00f3-44d5-9a8c-2373ba071e92_102.json | 96 +++++++ ...7384f-00f3-44d5-9a8c-2373ba071e92_103.json | 95 +++++++ .../138c5dd5-838b-446e-b1ac-c995c7f8108a.json | 65 ----- ...c5dd5-838b-446e-b1ac-c995c7f8108a_102.json | 65 +++++ ...c5dd5-838b-446e-b1ac-c995c7f8108a_103.json | 65 +++++ .../141e9b3a-ff37-4756-989d-05d7cbf35b0e.json | 99 ------- ...e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json | 101 +++++++ ...e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json | 99 +++++++ .../143cb236-0956-4f42-a706-814bcaa0cf5a.json | 84 ------ ...cb236-0956-4f42-a706-814bcaa0cf5a_100.json | 87 ++++++ ...cb236-0956-4f42-a706-814bcaa0cf5a_101.json | 84 ++++++ .../14de811c-d60f-11ec-9fd7-f661ea17fbce.json | 86 ------ ...e811c-d60f-11ec-9fd7-f661ea17fbce_201.json | 88 +++++++ ...e811c-d60f-11ec-9fd7-f661ea17fbce_202.json | 86 ++++++ .../14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json | 87 ------ ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json | 88 +++++++ ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json | 87 ++++++ .../15a8ba77-1c13-4274-88fe-6bd14133861e.json | 126 --------- ...8ba77-1c13-4274-88fe-6bd14133861e_105.json | 131 +++++++++ ...8ba77-1c13-4274-88fe-6bd14133861e_106.json | 126 +++++++++ ...8ba77-1c13-4274-88fe-6bd14133861e_107.json | 126 +++++++++ .../15c0b7a7-9c34-4869-b25b-fa6518414899.json | 94 ------- ...0b7a7-9c34-4869-b25b-fa6518414899_104.json | 95 +++++++ ...0b7a7-9c34-4869-b25b-fa6518414899_105.json | 95 +++++++ ...0b7a7-9c34-4869-b25b-fa6518414899_106.json | 94 +++++++ .../15dacaa0-5b90-466b-acab-63435a59701a.json | 88 ------- ...acaa0-5b90-466b-acab-63435a59701a_102.json | 89 +++++++ ...acaa0-5b90-466b-acab-63435a59701a_103.json | 88 +++++++ .../16280f1e-57e6-4242-aa21-bb4d16f13b2f.json | 63 ----- ...80f1e-57e6-4242-aa21-bb4d16f13b2f_101.json | 65 +++++ ...80f1e-57e6-4242-aa21-bb4d16f13b2f_102.json | 63 +++++ .../166727ab-6768-4e26-b80c-948b228ffc06.json | 93 ------- ...66727ab-6768-4e26-b80c-948b228ffc06_2.json | 94 +++++++ ...66727ab-6768-4e26-b80c-948b228ffc06_3.json | 93 +++++++ .../16904215-2c95-4ac8-bf5c-12354e047192.json | 109 -------- ...04215-2c95-4ac8-bf5c-12354e047192_102.json | 110 ++++++++ ...04215-2c95-4ac8-bf5c-12354e047192_103.json | 109 ++++++++ .../169f3a93-efc7-4df2-94d6-0d9438c310d1.json | 95 ------- ...f3a93-efc7-4df2-94d6-0d9438c310d1_102.json | 97 +++++++ ...f3a93-efc7-4df2-94d6-0d9438c310d1_103.json | 95 +++++++ .../16a52c14-7883-47af-8745-9357803f0d4c.json | 100 ------- ...52c14-7883-47af-8745-9357803f0d4c_104.json | 101 +++++++ ...52c14-7883-47af-8745-9357803f0d4c_105.json | 101 +++++++ ...52c14-7883-47af-8745-9357803f0d4c_106.json | 100 +++++++ .../16fac1a1-21ee-4ca6-b720-458e3855d046.json | 120 --------- ...ac1a1-21ee-4ca6-b720-458e3855d046_105.json | 125 +++++++++ ...ac1a1-21ee-4ca6-b720-458e3855d046_106.json | 120 +++++++++ ...ac1a1-21ee-4ca6-b720-458e3855d046_107.json | 120 +++++++++ .../1781d055-5c66-4adf-9c59-fc0fa58336a5.json | 67 ----- ...1d055-5c66-4adf-9c59-fc0fa58336a5_102.json | 68 +++++ ...1d055-5c66-4adf-9c59-fc0fa58336a5_103.json | 67 +++++ .../1781d055-5c66-4adf-9c71-fc0fa58338c7.json | 61 ----- ...1d055-5c66-4adf-9c71-fc0fa58338c7_101.json | 62 +++++ ...1d055-5c66-4adf-9c71-fc0fa58338c7_102.json | 61 +++++ .../1781d055-5c66-4adf-9d60-fc0fa58337b6.json | 62 ----- ...1d055-5c66-4adf-9d60-fc0fa58337b6_102.json | 63 +++++ ...1d055-5c66-4adf-9d60-fc0fa58337b6_103.json | 62 +++++ .../1781d055-5c66-4adf-9d82-fc0fa58449c8.json | 48 ---- ...1d055-5c66-4adf-9d82-fc0fa58449c8_101.json | 49 ++++ ...1d055-5c66-4adf-9d82-fc0fa58449c8_102.json | 48 ++++ .../1781d055-5c66-4adf-9e93-fc0fa69550c9.json | 55 ---- ...1d055-5c66-4adf-9e93-fc0fa69550c9_101.json | 56 ++++ ...1d055-5c66-4adf-9e93-fc0fa69550c9_102.json | 55 ++++ .../17b0a495-4d9f-414c-8ad0-92f018b8e001.json | 121 --------- ...7b0a495-4d9f-414c-8ad0-92f018b8e001_1.json | 122 +++++++++ ...7b0a495-4d9f-414c-8ad0-92f018b8e001_2.json | 121 +++++++++ .../17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json | 92 ------- ...7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json | 93 +++++++ ...7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json | 92 +++++++ .../17e68559-b274-4948-ad0b-f8415bb31126.json | 32 --- ...68559-b274-4948-ad0b-f8415bb31126_101.json | 34 +++ ...68559-b274-4948-ad0b-f8415bb31126_102.json | 32 +++ .../184dfe52-2999-42d9-b9d1-d1ca54495a61.json | 80 ------ ...dfe52-2999-42d9-b9d1-d1ca54495a61_103.json | 82 ++++++ ...dfe52-2999-42d9-b9d1-d1ca54495a61_104.json | 80 ++++++ .../19de8096-e2b0-4bd8-80c9-34a820813fff.json | 38 --- ...e8096-e2b0-4bd8-80c9-34a820813fff_104.json | 39 +++ ...e8096-e2b0-4bd8-80c9-34a820813fff_105.json | 38 +++ .../1a36cace-11a7-43a8-9a10-b497c5a02cd3.json | 86 ------ ...6cace-11a7-43a8-9a10-b497c5a02cd3_101.json | 88 +++++++ ...6cace-11a7-43a8-9a10-b497c5a02cd3_102.json | 86 ++++++ .../1a6075b0-7479-450e-8fe7-b8b8438ac570.json | 101 ------- ...075b0-7479-450e-8fe7-b8b8438ac570_104.json | 102 +++++++ ...075b0-7479-450e-8fe7-b8b8438ac570_105.json | 101 +++++++ .../1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json | 96 ------- ...8fa52-44a7-4dae-b058-f3333b91c8d7_105.json | 98 +++++++ ...8fa52-44a7-4dae-b058-f3333b91c8d7_106.json | 96 +++++++ .../1aa9181a-492b-4c01-8b16-fa0735786b2b.json | 98 ------- ...9181a-492b-4c01-8b16-fa0735786b2b_104.json | 99 +++++++ ...9181a-492b-4c01-8b16-fa0735786b2b_105.json | 98 +++++++ .../1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json | 86 ------ ...1abcc-4d9f-4b08-a7f5-316f5f94b973_102.json | 87 ++++++ ...1abcc-4d9f-4b08-a7f5-316f5f94b973_103.json | 86 ++++++ .../1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json | 93 ------- ...5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json | 96 +++++++ ...5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json | 93 +++++++ .../1c27fa22-7727-4dd3-81c0-de6da5555feb.json | 97 ------- ...c27fa22-7727-4dd3-81c0-de6da5555feb_4.json | 99 +++++++ ...c27fa22-7727-4dd3-81c0-de6da5555feb_5.json | 98 +++++++ ...c27fa22-7727-4dd3-81c0-de6da5555feb_6.json | 97 +++++++ ...c27fa22-7727-4dd3-81c0-de6da5555feb_7.json | 97 +++++++ .../1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json | 122 --------- ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json | 124 +++++++++ ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json | 122 +++++++++ .../1c84dd64-7e6c-4bad-ac73-a5014ee37042.json | 168 ------------ ...4dd64-7e6c-4bad-ac73-a5014ee37042_104.json | 164 ++++++++++++ ...4dd64-7e6c-4bad-ac73-a5014ee37042_105.json | 164 ++++++++++++ ...4dd64-7e6c-4bad-ac73-a5014ee37042_106.json | 163 ++++++++++++ ...4dd64-7e6c-4bad-ac73-a5014ee37042_107.json | 168 ++++++++++++ .../1c966416-60c1-436b-bfd0-e002fddbfd89.json | 72 ----- ...66416-60c1-436b-bfd0-e002fddbfd89_101.json | 74 ++++++ ...66416-60c1-436b-bfd0-e002fddbfd89_102.json | 72 +++++ .../1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json | 120 --------- ...01db9-be24-4bef-8e7c-e923f0ff78ab_103.json | 121 +++++++++ ...01db9-be24-4bef-8e7c-e923f0ff78ab_104.json | 120 +++++++++ ...01db9-be24-4bef-8e7c-e923f0ff78ab_105.json | 120 +++++++++ .../1d276579-3380-4095-ad38-e596a01bc64f.json | 112 -------- ...76579-3380-4095-ad38-e596a01bc64f_104.json | 113 ++++++++ ...76579-3380-4095-ad38-e596a01bc64f_105.json | 113 ++++++++ ...76579-3380-4095-ad38-e596a01bc64f_106.json | 112 ++++++++ .../1d72d014-e2ab-4707-b056-9b96abe7b511.json | 111 -------- ...2d014-e2ab-4707-b056-9b96abe7b511_104.json | 112 ++++++++ ...2d014-e2ab-4707-b056-9b96abe7b511_105.json | 111 ++++++++ .../1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json | 85 ------ ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json | 86 ++++++ ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json | 85 ++++++ ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json | 85 ++++++ .../1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json | 92 ------- ...c51f6-ba26-49e7-9ef4-2655abb2361e_102.json | 93 +++++++ ...c51f6-ba26-49e7-9ef4-2655abb2361e_103.json | 92 +++++++ .../1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json | 112 -------- ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json | 113 ++++++++ ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json | 112 ++++++++ .../1defdd62-cd8d-426e-a246-81a37751bb2b.json | 126 --------- ...fdd62-cd8d-426e-a246-81a37751bb2b_104.json | 127 +++++++++ ...fdd62-cd8d-426e-a246-81a37751bb2b_105.json | 126 +++++++++ .../1e0b832e-957e-43ae-b319-db82d228c908.json | 80 ------ ...b832e-957e-43ae-b319-db82d228c908_101.json | 82 ++++++ ...b832e-957e-43ae-b319-db82d228c908_102.json | 80 ++++++ .../1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json | 66 ----- ...fc667-9ff1-4b33-9f40-fefca8537eb0_101.json | 67 +++++ ...fc667-9ff1-4b33-9f40-fefca8537eb0_102.json | 66 +++++ .../1f0a69c0-3392-4adf-b7d5-6012fd292da8.json | 106 -------- ...f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json | 107 ++++++++ ...f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json | 107 ++++++++ ...f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json | 106 ++++++++ ...f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json | 106 ++++++++ .../1faec04b-d902-4f89-8aff-92cd9043c16f.json | 58 ---- ...ec04b-d902-4f89-8aff-92cd9043c16f_101.json | 59 +++++ ...ec04b-d902-4f89-8aff-92cd9043c16f_102.json | 58 ++++ .../1fe3b299-fbb5-4657-a937-1d746f2c711a.json | 87 ------ ...3b299-fbb5-4657-a937-1d746f2c711a_104.json | 88 +++++++ ...3b299-fbb5-4657-a937-1d746f2c711a_105.json | 88 +++++++ ...3b299-fbb5-4657-a937-1d746f2c711a_106.json | 87 ++++++ .../2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json | 84 ------ ...3cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json | 85 ++++++ ...3cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json | 84 ++++++ .../201200f1-a99b-43fb-88ed-f65a45c4972c.json | 92 ------- ...200f1-a99b-43fb-88ed-f65a45c4972c_104.json | 93 +++++++ ...200f1-a99b-43fb-88ed-f65a45c4972c_105.json | 92 +++++++ .../203ab79b-239b-4aa5-8e54-fc50623ee8e4.json | 100 ------- ...ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json | 101 +++++++ ...ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json | 100 +++++++ .../2045567e-b0af-444a-8c0b-0b6e2dae9e13.json | 97 ------- ...5567e-b0af-444a-8c0b-0b6e2dae9e13_102.json | 99 +++++++ ...5567e-b0af-444a-8c0b-0b6e2dae9e13_103.json | 97 +++++++ .../20457e4f-d1de-4b92-ae69-142e27a4342a.json | 88 ------- ...57e4f-d1de-4b92-ae69-142e27a4342a_102.json | 89 +++++++ ...57e4f-d1de-4b92-ae69-142e27a4342a_103.json | 88 +++++++ .../208dbe77-01ed-4954-8d44-1e5751cb20de.json | 109 -------- ...dbe77-01ed-4954-8d44-1e5751cb20de_105.json | 115 ++++++++ ...dbe77-01ed-4954-8d44-1e5751cb20de_106.json | 115 ++++++++ ...dbe77-01ed-4954-8d44-1e5751cb20de_107.json | 110 ++++++++ ...dbe77-01ed-4954-8d44-1e5751cb20de_108.json | 109 ++++++++ .../21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json | 120 --------- ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json | 123 +++++++++ ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json | 120 +++++++++ .../220be143-5c67-4fdb-b6ce-dd6826d024fd.json | 113 -------- ...20be143-5c67-4fdb-b6ce-dd6826d024fd_3.json | 114 ++++++++ ...20be143-5c67-4fdb-b6ce-dd6826d024fd_4.json | 113 ++++++++ .../2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json | 119 --------- ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json | 120 +++++++++ ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json | 119 +++++++++ .../22599847-5d13-48cb-8872-5796fee8692b.json | 114 -------- ...99847-5d13-48cb-8872-5796fee8692b_104.json | 115 ++++++++ ...99847-5d13-48cb-8872-5796fee8692b_105.json | 115 ++++++++ ...99847-5d13-48cb-8872-5796fee8692b_106.json | 114 ++++++++ .../227dc608-e558-43d9-b521-150772250bae.json | 91 ------- ...dc608-e558-43d9-b521-150772250bae_103.json | 93 +++++++ ...dc608-e558-43d9-b521-150772250bae_104.json | 91 +++++++ .../2326d1b2-9acf-4dee-bd21-867ea7378b4d.json | 80 ------ ...6d1b2-9acf-4dee-bd21-867ea7378b4d_103.json | 82 ++++++ ...6d1b2-9acf-4dee-bd21-867ea7378b4d_104.json | 80 ++++++ .../2339f03c-f53f-40fa-834b-40c5983fc41f.json | 88 ------- ...9f03c-f53f-40fa-834b-40c5983fc41f_103.json | 89 +++++++ ...9f03c-f53f-40fa-834b-40c5983fc41f_104.json | 88 +++++++ .../25224a80-5a4a-4b8a-991e-6ab390465c4f.json | 115 -------- ...24a80-5a4a-4b8a-991e-6ab390465c4f_102.json | 116 ++++++++ ...24a80-5a4a-4b8a-991e-6ab390465c4f_103.json | 115 ++++++++ .../2636aa6c-88b5-4337-9c31-8d0192a8ef45.json | 95 ------- ...6aa6c-88b5-4337-9c31-8d0192a8ef45_101.json | 97 +++++++ ...6aa6c-88b5-4337-9c31-8d0192a8ef45_102.json | 95 +++++++ .../265db8f5-fc73-4d0d-b434-6483b56372e2.json | 107 -------- ...db8f5-fc73-4d0d-b434-6483b56372e2_104.json | 108 ++++++++ ...db8f5-fc73-4d0d-b434-6483b56372e2_105.json | 108 ++++++++ ...db8f5-fc73-4d0d-b434-6483b56372e2_106.json | 107 ++++++++ .../26b01043-4f04-4d2f-882a-5a1d2e95751b.json | 113 -------- ...6b01043-4f04-4d2f-882a-5a1d2e95751b_3.json | 114 ++++++++ ...6b01043-4f04-4d2f-882a-5a1d2e95751b_4.json | 113 ++++++++ .../26edba02-6979-4bce-920a-70b080a7be81.json | 80 ------ ...dba02-6979-4bce-920a-70b080a7be81_104.json | 82 ++++++ ...dba02-6979-4bce-920a-70b080a7be81_105.json | 80 ++++++ .../26f68dba-ce29-497b-8e13-b4fde1db5a2d.json | 96 ------- ...68dba-ce29-497b-8e13-b4fde1db5a2d_101.json | 98 +++++++ ...68dba-ce29-497b-8e13-b4fde1db5a2d_102.json | 96 +++++++ .../272a6484-2663-46db-a532-ef734bf9a796.json | 91 ------- ...a6484-2663-46db-a532-ef734bf9a796_101.json | 93 +++++++ ...a6484-2663-46db-a532-ef734bf9a796_102.json | 91 +++++++ .../2772264c-6fb9-4d9d-9014-b416eed21254.json | 118 --------- ...2264c-6fb9-4d9d-9014-b416eed21254_103.json | 119 +++++++++ ...2264c-6fb9-4d9d-9014-b416eed21254_104.json | 118 +++++++++ ...2264c-6fb9-4d9d-9014-b416eed21254_105.json | 118 +++++++++ .../2783d84f-5091-4d7d-9319-9fceda8fa71b.json | 76 ------ ...3d84f-5091-4d7d-9319-9fceda8fa71b_103.json | 78 ++++++ ...3d84f-5091-4d7d-9319-9fceda8fa71b_104.json | 76 ++++++ .../27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json | 94 ------- ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json | 96 +++++++ ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json | 94 +++++++ .../2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json | 114 -------- ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json | 120 +++++++++ ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json | 115 ++++++++ ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json | 114 ++++++++ .../2856446a-34e6-435b-9fb5-f8f040bfa7ed.json | 94 ------- ...6446a-34e6-435b-9fb5-f8f040bfa7ed_104.json | 95 +++++++ ...6446a-34e6-435b-9fb5-f8f040bfa7ed_105.json | 94 +++++++ .../2863ffeb-bf77-44dd-b7a5-93ef94b72036.json | 84 ------ ...3ffeb-bf77-44dd-b7a5-93ef94b72036_100.json | 85 ++++++ ...3ffeb-bf77-44dd-b7a5-93ef94b72036_101.json | 84 ++++++ .../28738f9f-7427-4d23-bc69-756708b5f624.json | 94 ------- ...8738f9f-7427-4d23-bc69-756708b5f624_1.json | 85 ++++++ ...8738f9f-7427-4d23-bc69-756708b5f624_2.json | 84 ++++++ ...8738f9f-7427-4d23-bc69-756708b5f624_3.json | 94 +++++++ .../29052c19-ff3e-42fd-8363-7be14d7c5469.json | 104 -------- ...52c19-ff3e-42fd-8363-7be14d7c5469_102.json | 106 ++++++++ ...52c19-ff3e-42fd-8363-7be14d7c5469_103.json | 104 ++++++++ .../290aca65-e94d-403b-ba0f-62f320e63f51.json | 91 ------- ...aca65-e94d-403b-ba0f-62f320e63f51_104.json | 92 +++++++ ...aca65-e94d-403b-ba0f-62f320e63f51_105.json | 92 +++++++ ...aca65-e94d-403b-ba0f-62f320e63f51_106.json | 91 +++++++ .../2917d495-59bd-4250-b395-c29409b76086.json | 116 -------- ...7d495-59bd-4250-b395-c29409b76086_104.json | 117 +++++++++ ...7d495-59bd-4250-b395-c29409b76086_105.json | 116 ++++++++ .../291a0de9-937a-4189-94c0-3e847c8b13e4.json | 96 ------- ...a0de9-937a-4189-94c0-3e847c8b13e4_105.json | 102 +++++++ ...a0de9-937a-4189-94c0-3e847c8b13e4_106.json | 102 +++++++ ...a0de9-937a-4189-94c0-3e847c8b13e4_107.json | 97 +++++++ ...a0de9-937a-4189-94c0-3e847c8b13e4_108.json | 96 +++++++ .../2a692072-d78d-42f3-a48a-775677d79c4e.json | 93 ------- ...a692072-d78d-42f3-a48a-775677d79c4e_1.json | 93 +++++++ .../2abda169-416b-4bb3-9a6b-f8d239fd78ba.json | 107 -------- ...da169-416b-4bb3-9a6b-f8d239fd78ba_201.json | 109 ++++++++ ...da169-416b-4bb3-9a6b-f8d239fd78ba_202.json | 107 ++++++++ .../2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json | 83 ------ ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json | 84 ++++++ ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json | 83 ++++++ .../2bf78aa2-9c56-48de-b139-f169bf99cf86.json | 96 ------- ...78aa2-9c56-48de-b139-f169bf99cf86_104.json | 97 +++++++ ...78aa2-9c56-48de-b139-f169bf99cf86_105.json | 97 +++++++ ...78aa2-9c56-48de-b139-f169bf99cf86_106.json | 96 +++++++ .../2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json | 128 --------- ...7e5d7-08b9-43b2-b58a-0270d65ac85b_104.json | 129 +++++++++ ...7e5d7-08b9-43b2-b58a-0270d65ac85b_105.json | 128 +++++++++ .../2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json | 104 -------- ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json | 105 ++++++++ ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json | 104 ++++++++ .../2d8043ed-5bda-4caf-801c-c1feb7410504.json | 93 ------- ...043ed-5bda-4caf-801c-c1feb7410504_103.json | 82 ++++++ ...043ed-5bda-4caf-801c-c1feb7410504_104.json | 93 +++++++ .../2dd480be-1263-4d9c-8672-172928f6789a.json | 89 ------- ...480be-1263-4d9c-8672-172928f6789a_104.json | 90 +++++++ ...480be-1263-4d9c-8672-172928f6789a_105.json | 90 +++++++ ...480be-1263-4d9c-8672-172928f6789a_106.json | 89 +++++++ ...480be-1263-4d9c-8672-172928f6789a_108.json | 89 +++++++ .../2de10e77-c144-4e69-afb7-344e7127abd0.json | 87 ------ ...10e77-c144-4e69-afb7-344e7127abd0_101.json | 89 +++++++ ...10e77-c144-4e69-afb7-344e7127abd0_102.json | 87 ++++++ .../2de87d72-ee0c-43e2-b975-5f0b029ac600.json | 115 -------- ...de87d72-ee0c-43e2-b975-5f0b029ac600_3.json | 116 ++++++++ ...de87d72-ee0c-43e2-b975-5f0b029ac600_4.json | 116 ++++++++ ...de87d72-ee0c-43e2-b975-5f0b029ac600_5.json | 115 ++++++++ .../2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json | 93 ------- ...e835d-01e5-48ca-b9fc-7a61f7f11902_104.json | 94 +++++++ ...e835d-01e5-48ca-b9fc-7a61f7f11902_105.json | 94 +++++++ ...e835d-01e5-48ca-b9fc-7a61f7f11902_106.json | 93 +++++++ .../2e29e96a-b67c-455a-afe4-de6183431d0d.json | 106 -------- ...9e96a-b67c-455a-afe4-de6183431d0d_105.json | 102 +++++++ ...9e96a-b67c-455a-afe4-de6183431d0d_106.json | 107 ++++++++ ...9e96a-b67c-455a-afe4-de6183431d0d_107.json | 106 ++++++++ .../2e580225-2a58-48ef-938b-572933be06fe.json | 68 ----- ...80225-2a58-48ef-938b-572933be06fe_101.json | 72 +++++ ...80225-2a58-48ef-938b-572933be06fe_102.json | 68 +++++ .../2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json | 87 ------ ...c8076-291e-41e9-81e4-e3fcbc97ae5e_104.json | 88 +++++++ ...c8076-291e-41e9-81e4-e3fcbc97ae5e_105.json | 87 ++++++ .../2f2f4939-0b34-40c2-a0a3-844eb7889f43.json | 105 -------- ...f4939-0b34-40c2-a0a3-844eb7889f43_105.json | 106 ++++++++ ...f4939-0b34-40c2-a0a3-844eb7889f43_106.json | 105 ++++++++ .../2f8a1226-5720-437d-9c20-e0029deb6194.json | 85 ------ ...a1226-5720-437d-9c20-e0029deb6194_103.json | 91 +++++++ ...a1226-5720-437d-9c20-e0029deb6194_104.json | 90 +++++++ ...a1226-5720-437d-9c20-e0029deb6194_105.json | 85 ++++++ .../2fba96c0-ade5-4bce-b92f-a5df2509da3f.json | 103 -------- ...a96c0-ade5-4bce-b92f-a5df2509da3f_104.json | 104 ++++++++ ...a96c0-ade5-4bce-b92f-a5df2509da3f_105.json | 104 ++++++++ ...a96c0-ade5-4bce-b92f-a5df2509da3f_106.json | 103 ++++++++ .../2ffa1f1e-b6db-47fa-994b-1512743847eb.json | 106 -------- ...a1f1e-b6db-47fa-994b-1512743847eb_104.json | 107 ++++++++ ...a1f1e-b6db-47fa-994b-1512743847eb_105.json | 106 ++++++++ .../30562697-9859-4ae0-a8c5-dab45d664170.json | 76 ------ ...62697-9859-4ae0-a8c5-dab45d664170_103.json | 78 ++++++ ...62697-9859-4ae0-a8c5-dab45d664170_104.json | 76 ++++++ .../30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json | 90 ------- ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json | 91 +++++++ ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json | 90 +++++++ .../3115bd2c-0baa-4df0-80ea-45e474b5ef93.json | 57 ---- ...5bd2c-0baa-4df0-80ea-45e474b5ef93_100.json | 58 ++++ ...5bd2c-0baa-4df0-80ea-45e474b5ef93_101.json | 57 ++++ .../31295df3-277b-4c56-a1fb-84e31b4222a9.json | 57 ---- ...95df3-277b-4c56-a1fb-84e31b4222a9_101.json | 61 +++++ ...95df3-277b-4c56-a1fb-84e31b4222a9_102.json | 57 ++++ .../31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json | 93 ------- ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json | 94 +++++++ ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json | 94 +++++++ ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json | 93 +++++++ .../3202e172-01b1-4738-a932-d024c514ba72.json | 80 ------ ...2e172-01b1-4738-a932-d024c514ba72_103.json | 82 ++++++ ...2e172-01b1-4738-a932-d024c514ba72_104.json | 80 ++++++ .../323cb487-279d-4218-bcbd-a568efe930c6.json | 87 ------ ...cb487-279d-4218-bcbd-a568efe930c6_101.json | 89 +++++++ ...cb487-279d-4218-bcbd-a568efe930c6_102.json | 87 ++++++ .../32923416-763a-4531-bb35-f33b9232ecdb.json | 84 ------ ...23416-763a-4531-bb35-f33b9232ecdb_100.json | 87 ++++++ ...23416-763a-4531-bb35-f33b9232ecdb_101.json | 84 ++++++ .../32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json | 87 ------ ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json | 88 +++++++ ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json | 87 ++++++ .../32f4675e-6c49-4ace-80f9-97c9259dca2e.json | 93 ------- ...4675e-6c49-4ace-80f9-97c9259dca2e_104.json | 94 +++++++ ...4675e-6c49-4ace-80f9-97c9259dca2e_105.json | 93 +++++++ .../333de828-8190-4cf5-8d7c-7575846f6fe0.json | 98 ------- ...de828-8190-4cf5-8d7c-7575846f6fe0_105.json | 101 +++++++ ...de828-8190-4cf5-8d7c-7575846f6fe0_106.json | 98 +++++++ .../33a6752b-da5e-45f8-b13a-5f094c09522f.json | 78 ------ ...3a6752b-da5e-45f8-b13a-5f094c09522f_1.json | 79 ++++++ ...3a6752b-da5e-45f8-b13a-5f094c09522f_2.json | 78 ++++++ .../33f306e8-417c-411b-965c-c2812d6d3f4d.json | 134 ---------- ...306e8-417c-411b-965c-c2812d6d3f4d_104.json | 135 ++++++++++ ...306e8-417c-411b-965c-c2812d6d3f4d_105.json | 135 ++++++++++ ...306e8-417c-411b-965c-c2812d6d3f4d_106.json | 134 ++++++++++ .../34fde489-94b0-4500-a76f-b8a157cf9269.json | 101 ------- ...de489-94b0-4500-a76f-b8a157cf9269_102.json | 111 ++++++++ ...de489-94b0-4500-a76f-b8a157cf9269_103.json | 101 +++++++ .../35330ba2-c859-4c98-8b7f-c19159ea0e58.json | 97 ------- ...30ba2-c859-4c98-8b7f-c19159ea0e58_102.json | 98 +++++++ ...30ba2-c859-4c98-8b7f-c19159ea0e58_103.json | 97 +++++++ .../3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json | 79 ------ ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json | 80 ++++++ ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json | 79 ++++++ .../35df0dd8-092d-4a83-88c1-5151a804f31b.json | 97 ------- ...f0dd8-092d-4a83-88c1-5151a804f31b_104.json | 98 +++++++ ...f0dd8-092d-4a83-88c1-5151a804f31b_105.json | 98 +++++++ ...f0dd8-092d-4a83-88c1-5151a804f31b_106.json | 97 +++++++ .../35f86980-1fb1-4dff-b311-3be941549c8d.json | 32 --- ...86980-1fb1-4dff-b311-3be941549c8d_101.json | 34 +++ ...86980-1fb1-4dff-b311-3be941549c8d_102.json | 32 +++ .../3688577a-d196-11ec-90b0-f661ea17fbce.json | 88 ------- ...8577a-d196-11ec-90b0-f661ea17fbce_104.json | 89 +++++++ ...8577a-d196-11ec-90b0-f661ea17fbce_105.json | 88 +++++++ .../36a8e048-d888-4f61-a8b9-0f9e2e40f317.json | 79 ------ ...8e048-d888-4f61-a8b9-0f9e2e40f317_102.json | 80 ++++++ ...8e048-d888-4f61-a8b9-0f9e2e40f317_103.json | 79 ++++++ .../378f9024-8a0c-46a5-aa08-ce147ac73a4e.json | 94 ------- ...f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json | 97 +++++++ ...f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json | 94 +++++++ .../37994bca-0611-4500-ab67-5588afe73b77.json | 85 ------ ...94bca-0611-4500-ab67-5588afe73b77_104.json | 87 ++++++ ...94bca-0611-4500-ab67-5588afe73b77_105.json | 85 ++++++ .../37b211e8-4e2f-440f-86d8-06cc8f158cfa.json | 95 ------- ...211e8-4e2f-440f-86d8-06cc8f158cfa_105.json | 98 +++++++ ...211e8-4e2f-440f-86d8-06cc8f158cfa_106.json | 95 +++++++ .../37f638ea-909d-4f94-9248-edd21e4a9906.json | 87 ------ ...638ea-909d-4f94-9248-edd21e4a9906_102.json | 88 +++++++ ...638ea-909d-4f94-9248-edd21e4a9906_103.json | 87 ++++++ .../3805c3dc-f82c-4f8d-891e-63c24d3102b0.json | 72 ----- ...5c3dc-f82c-4f8d-891e-63c24d3102b0_102.json | 74 ++++++ ...5c3dc-f82c-4f8d-891e-63c24d3102b0_103.json | 72 +++++ .../3838e0e3-1850-4850-a411-2e8c5ba40ba8.json | 91 ------- ...8e0e3-1850-4850-a411-2e8c5ba40ba8_104.json | 92 +++++++ ...8e0e3-1850-4850-a411-2e8c5ba40ba8_105.json | 92 +++++++ ...8e0e3-1850-4850-a411-2e8c5ba40ba8_106.json | 91 +++++++ .../38948d29-3d5d-42e3-8aec-be832aaaf8eb.json | 89 ------- ...48d29-3d5d-42e3-8aec-be832aaaf8eb_102.json | 90 +++++++ ...48d29-3d5d-42e3-8aec-be832aaaf8eb_103.json | 89 +++++++ .../38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json | 76 ------ ...5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json | 78 ++++++ ...5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json | 76 ++++++ .../38f384e0-aef8-11ed-9a38-f661ea17fbcc.json | 93 ------- ...8f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json | 96 +++++++ ...8f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json | 93 +++++++ .../39144f38-5284-4f8e-a2ae-e3fd628d90b0.json | 90 ------- ...44f38-5284-4f8e-a2ae-e3fd628d90b0_102.json | 92 +++++++ ...44f38-5284-4f8e-a2ae-e3fd628d90b0_103.json | 90 +++++++ .../397945f3-d39a-4e6f-8bcb-9656c2031438.json | 87 ------ ...945f3-d39a-4e6f-8bcb-9656c2031438_102.json | 88 +++++++ ...945f3-d39a-4e6f-8bcb-9656c2031438_103.json | 87 ++++++ .../3a59fc81-99d3-47ea-8cd6-d48d561fca20.json | 105 -------- ...9fc81-99d3-47ea-8cd6-d48d561fca20_104.json | 106 ++++++++ ...9fc81-99d3-47ea-8cd6-d48d561fca20_105.json | 105 ++++++++ .../3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json | 93 ------- ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json | 94 +++++++ ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json | 93 +++++++ .../3ad49c61-7adc-42c1-b788-732eda2f5abf.json | 87 ------ ...49c61-7adc-42c1-b788-732eda2f5abf_101.json | 91 +++++++ ...49c61-7adc-42c1-b788-732eda2f5abf_102.json | 87 ++++++ .../3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json | 79 ------ ...77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json | 82 ++++++ ...77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json | 79 ++++++ ...77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json | 79 ++++++ .../3b382770-efbb-44f4-beed-f5e0a051b895.json | 55 ---- ...82770-efbb-44f4-beed-f5e0a051b895_100.json | 56 ++++ ...82770-efbb-44f4-beed-f5e0a051b895_101.json | 55 ++++ .../3b47900d-e793-49e8-968f-c90dc3526aa1.json | 85 ------ ...7900d-e793-49e8-968f-c90dc3526aa1_104.json | 86 ++++++ ...7900d-e793-49e8-968f-c90dc3526aa1_105.json | 85 ++++++ .../3bc6deaa-fbd4-433a-ae21-3e892f95624f.json | 99 ------- ...6deaa-fbd4-433a-ae21-3e892f95624f_104.json | 100 +++++++ ...6deaa-fbd4-433a-ae21-3e892f95624f_105.json | 99 +++++++ .../3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json | 36 --- ...e32e6-6104-46d9-a06e-da0f8b5795a0_101.json | 37 +++ ...e32e6-6104-46d9-a06e-da0f8b5795a0_102.json | 36 +++ .../3e002465-876f-4f04-b016-84ef48ce7e5d.json | 111 -------- ...02465-876f-4f04-b016-84ef48ce7e5d_105.json | 113 ++++++++ ...02465-876f-4f04-b016-84ef48ce7e5d_106.json | 111 ++++++++ .../3e0eeb75-16e8-4f2f-9826-62461ca128b7.json | 141 ---------- ...e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json | 142 ++++++++++ ...e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json | 141 ++++++++++ .../3e3d15c6-1509-479a-b125-21718372157e.json | 85 ------ ...d15c6-1509-479a-b125-21718372157e_102.json | 86 ++++++ ...d15c6-1509-479a-b125-21718372157e_103.json | 85 ++++++ .../3ecbdc9e-e4f2-43fa-8cca-63802125e582.json | 91 ------- ...bdc9e-e4f2-43fa-8cca-63802125e582_103.json | 92 +++++++ ...bdc9e-e4f2-43fa-8cca-63802125e582_104.json | 92 +++++++ ...bdc9e-e4f2-43fa-8cca-63802125e582_105.json | 91 +++++++ .../3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json | 113 -------- ...032b2-45d8-4406-bc79-7ad1eabb2c72_104.json | 114 ++++++++ ...032b2-45d8-4406-bc79-7ad1eabb2c72_105.json | 113 ++++++++ ...032b2-45d8-4406-bc79-7ad1eabb2c72_107.json | 113 ++++++++ .../3efee4f0-182a-40a8-a835-102c68a4175d.json | 86 ------ ...ee4f0-182a-40a8-a835-102c68a4175d_101.json | 88 +++++++ ...ee4f0-182a-40a8-a835-102c68a4175d_102.json | 86 ++++++ .../3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json | 84 ------ ...e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json | 86 ++++++ ...e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json | 84 ++++++ .../3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json | 91 ------- ...f9fe2-d095-11ec-95dc-f661ea17fbce_104.json | 92 +++++++ ...f9fe2-d095-11ec-95dc-f661ea17fbce_105.json | 91 +++++++ .../403ef0d3-8259-40c9-a5b6-d48354712e49.json | 89 ------- ...ef0d3-8259-40c9-a5b6-d48354712e49_102.json | 90 +++++++ ...ef0d3-8259-40c9-a5b6-d48354712e49_103.json | 89 +++++++ .../40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json | 81 ------ ...0ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json | 81 ++++++ .../416697ae-e468-4093-a93d-59661fa619ec.json | 95 ------- ...697ae-e468-4093-a93d-59661fa619ec_104.json | 96 +++++++ ...697ae-e468-4093-a93d-59661fa619ec_105.json | 95 +++++++ .../41824afb-d68c-4d0e-bfee-474dac1fa56e.json | 87 ------ ...24afb-d68c-4d0e-bfee-474dac1fa56e_101.json | 88 +++++++ ...24afb-d68c-4d0e-bfee-474dac1fa56e_102.json | 87 ++++++ .../41b638a1-8ab6-4f8e-86d9-466317ef2db5.json | 91 ------- ...638a1-8ab6-4f8e-86d9-466317ef2db5_102.json | 92 +++++++ ...638a1-8ab6-4f8e-86d9-466317ef2db5_103.json | 91 +++++++ .../42bf698b-4738-445b-8231-c834ddefd8a0.json | 85 ------ ...f698b-4738-445b-8231-c834ddefd8a0_102.json | 87 ++++++ ...f698b-4738-445b-8231-c834ddefd8a0_103.json | 85 ++++++ .../42eeee3d-947f-46d3-a14d-7036b962c266.json | 122 --------- ...2eeee3d-947f-46d3-a14d-7036b962c266_5.json | 128 +++++++++ ...2eeee3d-947f-46d3-a14d-7036b962c266_6.json | 123 +++++++++ ...2eeee3d-947f-46d3-a14d-7036b962c266_7.json | 122 +++++++++ .../4330272b-9724-4bc6-a3ca-f1532b81e5c2.json | 51 ---- ...0272b-9724-4bc6-a3ca-f1532b81e5c2_101.json | 52 ++++ ...0272b-9724-4bc6-a3ca-f1532b81e5c2_102.json | 51 ++++ .../43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json | 89 ------- ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json | 89 +++++++ .../440e2db4-bc7f-4c96-a068-65b78da59bde.json | 101 ------- ...e2db4-bc7f-4c96-a068-65b78da59bde_104.json | 102 +++++++ ...e2db4-bc7f-4c96-a068-65b78da59bde_105.json | 102 +++++++ ...e2db4-bc7f-4c96-a068-65b78da59bde_106.json | 101 +++++++ .../445a342e-03fb-42d0-8656-0367eb2dead5.json | 84 ------ ...a342e-03fb-42d0-8656-0367eb2dead5_102.json | 85 ++++++ ...a342e-03fb-42d0-8656-0367eb2dead5_103.json | 84 ++++++ .../44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json | 108 -------- ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json | 114 ++++++++ ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json | 109 ++++++++ ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json | 108 ++++++++ ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json | 108 ++++++++ .../453f659e-0429-40b1-bfdb-b6957286e04b.json | 74 ------ ...f659e-0429-40b1-bfdb-b6957286e04b_100.json | 75 ++++++ ...f659e-0429-40b1-bfdb-b6957286e04b_101.json | 74 ++++++ .../45ac4800-840f-414c-b221-53dd36a5aaf7.json | 81 ------ ...c4800-840f-414c-b221-53dd36a5aaf7_105.json | 82 ++++++ ...c4800-840f-414c-b221-53dd36a5aaf7_106.json | 82 ++++++ ...c4800-840f-414c-b221-53dd36a5aaf7_107.json | 81 ++++++ .../45d273fb-1dca-457d-9855-bcb302180c21.json | 106 -------- ...273fb-1dca-457d-9855-bcb302180c21_105.json | 107 ++++++++ ...273fb-1dca-457d-9855-bcb302180c21_106.json | 106 ++++++++ .../4630d948-40d4-4cef-ac69-4002e29bc3db.json | 123 --------- ...0d948-40d4-4cef-ac69-4002e29bc3db_104.json | 104 ++++++++ ...0d948-40d4-4cef-ac69-4002e29bc3db_105.json | 124 +++++++++ ...0d948-40d4-4cef-ac69-4002e29bc3db_106.json | 124 +++++++++ ...0d948-40d4-4cef-ac69-4002e29bc3db_107.json | 123 +++++++++ .../4682fd2c-cfae-47ed-a543-9bed37657aa6.json | 88 ------- ...2fd2c-cfae-47ed-a543-9bed37657aa6_104.json | 89 +++++++ ...2fd2c-cfae-47ed-a543-9bed37657aa6_105.json | 88 +++++++ .../46f804f5-b289-43d6-a881-9387cf594f75.json | 62 ----- ...804f5-b289-43d6-a881-9387cf594f75_102.json | 63 +++++ ...804f5-b289-43d6-a881-9387cf594f75_103.json | 62 +++++ .../474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json | 92 ------- ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json | 93 +++++++ ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json | 92 +++++++ .../47e22836-4a16-4b35-beee-98f6c4ee9bf2.json | 118 --------- ...22836-4a16-4b35-beee-98f6c4ee9bf2_105.json | 123 +++++++++ ...22836-4a16-4b35-beee-98f6c4ee9bf2_106.json | 118 +++++++++ ...22836-4a16-4b35-beee-98f6c4ee9bf2_107.json | 118 +++++++++ .../47f76567-d58a-4fed-b32b-21f571e28910.json | 112 -------- ...76567-d58a-4fed-b32b-21f571e28910_102.json | 113 ++++++++ ...76567-d58a-4fed-b32b-21f571e28910_103.json | 112 ++++++++ .../483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json | 94 ------- ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json | 94 +++++++ ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json | 94 +++++++ .../48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json | 119 --------- ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json | 119 +++++++++ .../48b6edfc-079d-4907-b43c-baffa243270d.json | 116 -------- ...8b6edfc-079d-4907-b43c-baffa243270d_4.json | 119 +++++++++ ...8b6edfc-079d-4907-b43c-baffa243270d_5.json | 122 +++++++++ ...8b6edfc-079d-4907-b43c-baffa243270d_6.json | 117 +++++++++ ...8b6edfc-079d-4907-b43c-baffa243270d_7.json | 116 ++++++++ .../48d7f54d-c29e-4430-93a9-9db6b5892270.json | 84 ------ ...7f54d-c29e-4430-93a9-9db6b5892270_102.json | 85 ++++++ ...7f54d-c29e-4430-93a9-9db6b5892270_103.json | 84 ++++++ .../48ec9452-e1fd-4513-a376-10a1a26d2c83.json | 88 ------- ...c9452-e1fd-4513-a376-10a1a26d2c83_102.json | 89 +++++++ ...c9452-e1fd-4513-a376-10a1a26d2c83_103.json | 88 +++++++ .../493834ca-f861-414c-8602-150d5505b777.json | 69 ----- ...834ca-f861-414c-8602-150d5505b777_100.json | 70 +++++ ...834ca-f861-414c-8602-150d5505b777_101.json | 69 +++++ .../494ebba4-ecb7-4be4-8c6f-654c686549ad.json | 89 ------- ...94ebba4-ecb7-4be4-8c6f-654c686549ad_1.json | 89 +++++++ .../495e5f2e-2480-11ed-bea8-f661ea17fbce.json | 108 -------- ...e5f2e-2480-11ed-bea8-f661ea17fbce_104.json | 110 ++++++++ ...e5f2e-2480-11ed-bea8-f661ea17fbce_105.json | 111 ++++++++ ...e5f2e-2480-11ed-bea8-f661ea17fbce_106.json | 108 ++++++++ .../4973e46b-a663-41b8-a875-ced16dda2bb0.json | 128 --------- ...973e46b-a663-41b8-a875-ced16dda2bb0_1.json | 128 +++++++++ .../4a4e23cf-78a2-449c-bac3-701924c269d3.json | 67 ----- ...e23cf-78a2-449c-bac3-701924c269d3_101.json | 71 +++++ ...e23cf-78a2-449c-bac3-701924c269d3_102.json | 67 +++++ .../4b1a807a-4e7b-414e-8cea-24bf580f6fc5.json | 124 --------- ...b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json | 124 +++++++++ .../4b438734-3793-4fda-bd42-ceeada0be8f9.json | 93 ------- ...38734-3793-4fda-bd42-ceeada0be8f9_104.json | 94 +++++++ ...38734-3793-4fda-bd42-ceeada0be8f9_105.json | 93 +++++++ .../4bd1c1af-79d4-4d37-9efa-6e0240640242.json | 92 ------- ...1c1af-79d4-4d37-9efa-6e0240640242_103.json | 93 +++++++ ...1c1af-79d4-4d37-9efa-6e0240640242_104.json | 92 +++++++ .../4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json | 112 -------- ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json | 113 ++++++++ ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json | 112 ++++++++ .../4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json | 126 --------- ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json | 126 +++++++++ .../4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json | 96 ------- ...0a94f-2844-43fa-8395-6afbd5e1c5ef_102.json | 98 +++++++ ...0a94f-2844-43fa-8395-6afbd5e1c5ef_103.json | 96 +++++++ .../4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json | 80 ------ ...13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json | 81 ++++++ ...13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json | 80 ++++++ .../4de76544-f0e5-486a-8f84-eae0b6063cdc.json | 116 -------- ...76544-f0e5-486a-8f84-eae0b6063cdc_105.json | 117 +++++++++ ...76544-f0e5-486a-8f84-eae0b6063cdc_106.json | 116 ++++++++ .../4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json | 113 -------- ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json | 119 +++++++++ ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json | 119 +++++++++ ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json | 114 ++++++++ ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json | 113 ++++++++ .../4ec47004-b34a-42e6-8003-376a123ea447.json | 85 ------ ...ec47004-b34a-42e6-8003-376a123ea447_1.json | 86 ++++++ ...ec47004-b34a-42e6-8003-376a123ea447_2.json | 85 ++++++ .../4ed493fc-d637-4a36-80ff-ac84937e5461.json | 94 ------- ...493fc-d637-4a36-80ff-ac84937e5461_104.json | 95 +++++++ ...493fc-d637-4a36-80ff-ac84937e5461_105.json | 94 +++++++ .../4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json | 89 ------- ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json | 90 +++++++ ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json | 89 +++++++ .../4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json | 100 ------- ...d3e1a-3aa0-499b-8147-4d2ea43b1613_102.json | 102 +++++++ ...d3e1a-3aa0-499b-8147-4d2ea43b1613_103.json | 100 +++++++ .../4fe9d835-40e1-452d-8230-17c147cafad8.json | 83 ------ ...9d835-40e1-452d-8230-17c147cafad8_103.json | 84 ++++++ ...9d835-40e1-452d-8230-17c147cafad8_104.json | 83 ++++++ .../513f0ffd-b317-4b9c-9494-92ce861f22c7.json | 82 ------ ...f0ffd-b317-4b9c-9494-92ce861f22c7_102.json | 83 ++++++ ...f0ffd-b317-4b9c-9494-92ce861f22c7_103.json | 82 ++++++ .../514121ce-c7b6-474a-8237-68ff71672379.json | 93 ------- ...121ce-c7b6-474a-8237-68ff71672379_101.json | 97 +++++++ ...121ce-c7b6-474a-8237-68ff71672379_102.json | 93 +++++++ .../51859fa0-d86b-4214-bf48-ebb30ed91305.json | 80 ------ ...59fa0-d86b-4214-bf48-ebb30ed91305_103.json | 82 ++++++ ...59fa0-d86b-4214-bf48-ebb30ed91305_104.json | 80 ++++++ .../51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json | 130 --------- ...e96fb-9e52-4dad-b0ba-99b54440fc9a_103.json | 131 +++++++++ ...e96fb-9e52-4dad-b0ba-99b54440fc9a_104.json | 130 +++++++++ .../521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json | 105 -------- ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json | 105 ++++++++ .../523116c0-d89d-4d7c-82c2-39e6845a78ef.json | 94 ------- ...116c0-d89d-4d7c-82c2-39e6845a78ef_102.json | 97 +++++++ ...116c0-d89d-4d7c-82c2-39e6845a78ef_103.json | 94 +++++++ .../52376a86-ee86-4967-97ae-1a05f55816f0.json | 137 ---------- ...76a86-ee86-4967-97ae-1a05f55816f0_103.json | 130 +++++++++ ...76a86-ee86-4967-97ae-1a05f55816f0_104.json | 130 +++++++++ ...76a86-ee86-4967-97ae-1a05f55816f0_105.json | 128 +++++++++ ...76a86-ee86-4967-97ae-1a05f55816f0_106.json | 137 ++++++++++ .../52aaab7b-b51c-441a-89ce-4387b3aea886.json | 131 --------- ...aab7b-b51c-441a-89ce-4387b3aea886_105.json | 132 ++++++++++ ...aab7b-b51c-441a-89ce-4387b3aea886_106.json | 131 +++++++++ .../52afbdc5-db15-485e-bc24-f5707f820c4b.json | 34 --- ...fbdc5-db15-485e-bc24-f5707f820c4b_101.json | 35 +++ ...fbdc5-db15-485e-bc24-f5707f820c4b_102.json | 34 +++ .../530178da-92ea-43ce-94c2-8877a826783d.json | 91 ------- ...178da-92ea-43ce-94c2-8877a826783d_102.json | 92 +++++++ ...178da-92ea-43ce-94c2-8877a826783d_103.json | 91 +++++++ .../53617418-17b4-4e9c-8a2c-8deb8086ca4b.json | 95 ------- ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json | 95 +++++++ .../536997f7-ae73-447d-a12d-bff1e8f5f0a0.json | 87 ------ ...997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json | 90 +++++++ ...997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json | 87 ++++++ .../5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json | 86 ------ ...0d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json | 89 +++++++ ...0d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json | 86 ++++++ .../53a26770-9cbd-40c5-8b57-61d01a325e14.json | 86 ------ ...26770-9cbd-40c5-8b57-61d01a325e14_104.json | 87 ++++++ ...26770-9cbd-40c5-8b57-61d01a325e14_105.json | 86 ++++++ .../54902e45-3467-49a4-8abc-529f2c8cfb80.json | 107 -------- ...02e45-3467-49a4-8abc-529f2c8cfb80_102.json | 108 ++++++++ ...02e45-3467-49a4-8abc-529f2c8cfb80_103.json | 107 ++++++++ .../54a81f68-5f2a-421e-8eed-f888278bb712.json | 94 ------- ...4a81f68-5f2a-421e-8eed-f888278bb712_2.json | 95 +++++++ ...4a81f68-5f2a-421e-8eed-f888278bb712_3.json | 94 +++++++ .../54c3d186-0461-4dc3-9b33-2dc5c7473936.json | 100 ------- ...3d186-0461-4dc3-9b33-2dc5c7473936_103.json | 101 +++++++ ...3d186-0461-4dc3-9b33-2dc5c7473936_104.json | 100 +++++++ .../55c2bf58-2a39-4c58-a384-c8b1978153c2.json | 90 ------- ...2bf58-2a39-4c58-a384-c8b1978153c2_103.json | 96 +++++++ ...2bf58-2a39-4c58-a384-c8b1978153c2_104.json | 91 +++++++ ...2bf58-2a39-4c58-a384-c8b1978153c2_105.json | 90 +++++++ .../55d551c6-333b-4665-ab7e-5d14a59715ce.json | 116 -------- ...551c6-333b-4665-ab7e-5d14a59715ce_104.json | 117 +++++++++ ...551c6-333b-4665-ab7e-5d14a59715ce_105.json | 116 ++++++++ .../56557cde-d923-4b88-adee-c61b3f3b5dc3.json | 78 ------ ...57cde-d923-4b88-adee-c61b3f3b5dc3_102.json | 78 ++++++ ...57cde-d923-4b88-adee-c61b3f3b5dc3_103.json | 78 ++++++ .../565c2b44-7a21-4818-955f-8d4737967d2e.json | 91 ------- ...c2b44-7a21-4818-955f-8d4737967d2e_102.json | 92 +++++++ ...c2b44-7a21-4818-955f-8d4737967d2e_103.json | 91 +++++++ .../565d6ca5-75ba-4c82-9b13-add25353471c.json | 83 ------ ...d6ca5-75ba-4c82-9b13-add25353471c_102.json | 84 ++++++ ...d6ca5-75ba-4c82-9b13-add25353471c_103.json | 83 ++++++ .../5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json | 81 ------ ...3b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json | 83 ++++++ ...3b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json | 81 ++++++ .../56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json | 99 ------- ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json | 100 +++++++ ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json | 100 +++++++ ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json | 99 +++++++ .../5700cb81-df44-46aa-a5d7-337798f53eb8.json | 102 ------- ...0cb81-df44-46aa-a5d7-337798f53eb8_101.json | 106 ++++++++ ...0cb81-df44-46aa-a5d7-337798f53eb8_102.json | 102 +++++++ .../571afc56-5ed9-465d-a2a9-045f099f6e7e.json | 81 ------ ...afc56-5ed9-465d-a2a9-045f099f6e7e_100.json | 82 ++++++ ...afc56-5ed9-465d-a2a9-045f099f6e7e_101.json | 81 ++++++ .../573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json | 74 ------ ...f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json | 77 ++++++ ...f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json | 74 ++++++ .../577ec21e-56fe-4065-91d8-45eb8224fe77.json | 117 --------- ...ec21e-56fe-4065-91d8-45eb8224fe77_105.json | 118 +++++++++ ...ec21e-56fe-4065-91d8-45eb8224fe77_106.json | 117 +++++++++ .../581add16-df76-42bb-af8e-c979bfb39a59.json | 91 ------- ...add16-df76-42bb-af8e-c979bfb39a59_104.json | 92 +++++++ ...add16-df76-42bb-af8e-c979bfb39a59_105.json | 91 +++++++ .../58aa72ca-d968-4f34-b9f7-bea51d75eb50.json | 98 ------- ...a72ca-d968-4f34-b9f7-bea51d75eb50_104.json | 109 ++++++++ ...a72ca-d968-4f34-b9f7-bea51d75eb50_105.json | 108 ++++++++ ...a72ca-d968-4f34-b9f7-bea51d75eb50_106.json | 98 +++++++ .../58ac2aa5-6718-427c-a845-5f3ac5af00ba.json | 78 ------ ...c2aa5-6718-427c-a845-5f3ac5af00ba_100.json | 82 ++++++ ...c2aa5-6718-427c-a845-5f3ac5af00ba_101.json | 78 ++++++ .../58bc134c-e8d2-4291-a552-b4b3e537c60b.json | 124 --------- ...c134c-e8d2-4291-a552-b4b3e537c60b_104.json | 125 +++++++++ ...c134c-e8d2-4291-a552-b4b3e537c60b_105.json | 124 +++++++++ .../58c6d58b-a0d3-412d-b3b8-0981a9400607.json | 103 -------- ...6d58b-a0d3-412d-b3b8-0981a9400607_104.json | 103 ++++++++ ...6d58b-a0d3-412d-b3b8-0981a9400607_105.json | 103 ++++++++ ...6d58b-a0d3-412d-b3b8-0981a9400607_106.json | 103 ++++++++ .../5930658c-2107-4afc-91af-e0e55b7f7184.json | 95 ------- ...0658c-2107-4afc-91af-e0e55b7f7184_101.json | 98 +++++++ ...0658c-2107-4afc-91af-e0e55b7f7184_102.json | 95 +++++++ .../594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json | 88 ------- ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json | 90 +++++++ ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json | 88 +++++++ .../59756272-1998-4b8c-be14-e287035c4d10.json | 51 ---- ...56272-1998-4b8c-be14-e287035c4d10_101.json | 52 ++++ ...56272-1998-4b8c-be14-e287035c4d10_102.json | 52 ++++ ...56272-1998-4b8c-be14-e287035c4d10_103.json | 51 ++++ .../5a14d01d-7ac8-4545-914c-b687c2cf66b3.json | 101 ------- ...4d01d-7ac8-4545-914c-b687c2cf66b3_103.json | 102 +++++++ ...4d01d-7ac8-4545-914c-b687c2cf66b3_104.json | 101 +++++++ .../5a3d5447-31c9-409a-aed1-72f9921594fd.json | 119 --------- ...a3d5447-31c9-409a-aed1-72f9921594fd_1.json | 119 +++++++++ .../5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json | 98 ------- ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json | 99 +++++++ ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json | 98 +++++++ .../5aee924b-6ceb-4633-980e-1bde8cdb40c5.json | 87 ------ ...e924b-6ceb-4633-980e-1bde8cdb40c5_103.json | 88 +++++++ ...e924b-6ceb-4633-980e-1bde8cdb40c5_104.json | 87 ++++++ .../5b03c9fb-9945-4d2f-9568-fd690fee3fba.json | 86 ------ ...3c9fb-9945-4d2f-9568-fd690fee3fba_103.json | 87 ++++++ ...3c9fb-9945-4d2f-9568-fd690fee3fba_104.json | 86 ++++++ .../5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json | 95 ------- ...4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json | 95 +++++++ ...4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json | 95 +++++++ .../5beaebc1-cc13-4bfc-9949-776f9e0dc318.json | 95 ------- ...aebc1-cc13-4bfc-9949-776f9e0dc318_102.json | 97 +++++++ ...aebc1-cc13-4bfc-9949-776f9e0dc318_103.json | 95 +++++++ .../5c6f4c58-b381-452a-8976-f1b1c6aa0def.json | 100 ------- ...c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json | 105 ++++++++ ...c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json | 100 +++++++ ...c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json | 100 +++++++ .../5c983105-4681-46c3-9890-0c66d05e776b.json | 51 ---- ...83105-4681-46c3-9890-0c66d05e776b_101.json | 52 ++++ ...83105-4681-46c3-9890-0c66d05e776b_102.json | 51 ++++ .../5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json | 73 ------ ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json | 74 ++++++ ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json | 73 ++++++ .../5cd55388-a19c-47c7-8ec4-f41656c2fded.json | 123 --------- ...55388-a19c-47c7-8ec4-f41656c2fded_102.json | 124 +++++++++ ...55388-a19c-47c7-8ec4-f41656c2fded_103.json | 123 +++++++++ .../5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json | 85 ------ ...8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json | 85 ++++++ ...8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json | 85 ++++++ ...8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json | 85 ++++++ .../5cf6397e-eb91-4f31-8951-9f0eaa755a31.json | 94 ------- ...cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json | 95 +++++++ ...cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json | 94 +++++++ .../5d0265bf-dea9-41a9-92ad-48a8dcd05080.json | 82 ------ ...265bf-dea9-41a9-92ad-48a8dcd05080_102.json | 83 ++++++ ...265bf-dea9-41a9-92ad-48a8dcd05080_103.json | 82 ++++++ .../5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json | 118 --------- ...d6907-0747-4d5d-9b24-e4a18853dc0a_102.json | 119 +++++++++ ...d6907-0747-4d5d-9b24-e4a18853dc0a_103.json | 118 +++++++++ .../5d9f8cfc-0d03-443e-a167-2b0597ce0965.json | 78 ------ ...f8cfc-0d03-443e-a167-2b0597ce0965_102.json | 79 ++++++ ...f8cfc-0d03-443e-a167-2b0597ce0965_103.json | 78 ++++++ .../5e161522-2545-11ed-ac47-f661ea17fbce.json | 76 ------ ...61522-2545-11ed-ac47-f661ea17fbce_104.json | 78 ++++++ ...61522-2545-11ed-ac47-f661ea17fbce_105.json | 79 ++++++ ...61522-2545-11ed-ac47-f661ea17fbce_106.json | 76 ++++++ .../5e552599-ddec-4e14-bad1-28aa42404388.json | 94 ------- ...52599-ddec-4e14-bad1-28aa42404388_101.json | 96 +++++++ ...52599-ddec-4e14-bad1-28aa42404388_102.json | 94 +++++++ .../60884af6-f553-4a6c-af13-300047455491.json | 82 ------ ...84af6-f553-4a6c-af13-300047455491_101.json | 84 ++++++ ...84af6-f553-4a6c-af13-300047455491_102.json | 82 ++++++ .../60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json | 88 ------- ...6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json | 90 +++++++ ...6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json | 88 +++++++ .../60f3adec-1df9-4104-9c75-b97d9f078b25.json | 90 ------- ...3adec-1df9-4104-9c75-b97d9f078b25_101.json | 92 +++++++ ...3adec-1df9-4104-9c75-b97d9f078b25_102.json | 90 +++++++ .../610949a1-312f-4e04-bb55-3a79b8c95267.json | 82 ------ ...949a1-312f-4e04-bb55-3a79b8c95267_104.json | 83 ++++++ ...949a1-312f-4e04-bb55-3a79b8c95267_105.json | 82 ++++++ .../61ac3638-40a3-44b2-855a-985636ca985e.json | 148 ----------- ...c3638-40a3-44b2-855a-985636ca985e_106.json | 144 ++++++++++ ...c3638-40a3-44b2-855a-985636ca985e_107.json | 149 +++++++++++ ...c3638-40a3-44b2-855a-985636ca985e_108.json | 148 +++++++++++ .../61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json | 84 ------ ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json | 89 +++++++ ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json | 84 ++++++ ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json | 84 ++++++ .../622ecb68-fa81-4601-90b5-f8cd661e4520.json | 147 ----------- ...ecb68-fa81-4601-90b5-f8cd661e4520_103.json | 148 +++++++++++ ...ecb68-fa81-4601-90b5-f8cd661e4520_104.json | 147 +++++++++++ .../62a70f6f-3c37-43df-a556-f64fa475fba2.json | 97 ------- ...70f6f-3c37-43df-a556-f64fa475fba2_105.json | 97 +++++++ ...70f6f-3c37-43df-a556-f64fa475fba2_106.json | 97 +++++++ ...70f6f-3c37-43df-a556-f64fa475fba2_107.json | 97 +++++++ .../63c05204-339a-11ed-a261-0242ac120002.json | 98 ------- ...3c05204-339a-11ed-a261-0242ac120002_4.json | 100 +++++++ ...3c05204-339a-11ed-a261-0242ac120002_5.json | 98 +++++++ .../63c056a0-339a-11ed-a261-0242ac120002.json | 76 ------ ...3c056a0-339a-11ed-a261-0242ac120002_3.json | 78 ++++++ ...3c056a0-339a-11ed-a261-0242ac120002_4.json | 76 ++++++ .../63c057cc-339a-11ed-a261-0242ac120002.json | 89 ------- ...3c057cc-339a-11ed-a261-0242ac120002_3.json | 91 +++++++ ...3c057cc-339a-11ed-a261-0242ac120002_4.json | 89 +++++++ .../63e65ec3-43b1-45b0-8f2d-45b34291dc44.json | 99 ------- ...65ec3-43b1-45b0-8f2d-45b34291dc44_102.json | 98 +++++++ ...65ec3-43b1-45b0-8f2d-45b34291dc44_103.json | 100 +++++++ ...65ec3-43b1-45b0-8f2d-45b34291dc44_104.json | 99 +++++++ .../647fc812-7996-4795-8869-9c4ea595fe88.json | 63 ----- ...fc812-7996-4795-8869-9c4ea595fe88_102.json | 63 +++++ ...fc812-7996-4795-8869-9c4ea595fe88_103.json | 63 +++++ .../6482255d-f468-45ea-a5b3-d3a7de1331ae.json | 91 ------- ...2255d-f468-45ea-a5b3-d3a7de1331ae_102.json | 92 +++++++ ...2255d-f468-45ea-a5b3-d3a7de1331ae_103.json | 91 +++++++ .../65f9bccd-510b-40df-8263-334f03174fed.json | 88 ------- ...9bccd-510b-40df-8263-334f03174fed_201.json | 90 +++++++ ...9bccd-510b-40df-8263-334f03174fed_202.json | 88 +++++++ .../661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json | 99 ------- ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json | 100 +++++++ ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json | 99 +++++++ .../6641a5af-fb7e-487a-adc4-9e6503365318.json | 78 ------ ...641a5af-fb7e-487a-adc4-9e6503365318_1.json | 79 ++++++ ...641a5af-fb7e-487a-adc4-9e6503365318_2.json | 78 ++++++ .../665e7a4f-c58e-4fc6-bc83-87a7572670ac.json | 76 ------ ...e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json | 77 ++++++ ...e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json | 76 ++++++ .../66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json | 110 -------- ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json | 110 ++++++++ .../66883649-f908-4a5b-a1e0-54090a1d3a32.json | 124 --------- ...83649-f908-4a5b-a1e0-54090a1d3a32_104.json | 115 ++++++++ ...83649-f908-4a5b-a1e0-54090a1d3a32_105.json | 125 +++++++++ ...83649-f908-4a5b-a1e0-54090a1d3a32_106.json | 124 +++++++++ .../66da12b1-ac83-40eb-814c-07ed1d82b7b9.json | 90 ------- ...a12b1-ac83-40eb-814c-07ed1d82b7b9_102.json | 91 +++++++ ...a12b1-ac83-40eb-814c-07ed1d82b7b9_103.json | 90 +++++++ .../670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json | 95 ------- ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json | 100 +++++++ ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json | 95 +++++++ ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json | 95 +++++++ .../6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json | 81 ------ ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json | 85 ++++++ ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json | 81 ++++++ .../675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json | 91 ------- ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json | 93 +++++++ ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json | 91 +++++++ .../676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json | 74 ------ ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json | 77 ++++++ ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json | 74 ++++++ .../67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json | 91 ------- ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json | 90 +++++++ ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json | 89 +++++++ ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json | 91 +++++++ .../6839c821-011d-43bd-bd5b-acff00257226.json | 82 ------ ...9c821-011d-43bd-bd5b-acff00257226_102.json | 83 ++++++ ...9c821-011d-43bd-bd5b-acff00257226_103.json | 82 ++++++ .../684554fc-0777-47ce-8c9b-3d01f198d7f8.json | 97 ------- ...554fc-0777-47ce-8c9b-3d01f198d7f8_101.json | 99 +++++++ ...554fc-0777-47ce-8c9b-3d01f198d7f8_102.json | 97 +++++++ .../6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json | 80 ------ ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json | 57 ++++ ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json | 80 ++++++ .../68921d85-d0dc-48b3-865f-43291ca2c4f2.json | 100 ------- ...21d85-d0dc-48b3-865f-43291ca2c4f2_103.json | 101 +++++++ ...21d85-d0dc-48b3-865f-43291ca2c4f2_104.json | 100 +++++++ .../68994a6c-c7ba-4e82-b476-26a26877adf6.json | 98 ------- ...94a6c-c7ba-4e82-b476-26a26877adf6_204.json | 100 +++++++ ...94a6c-c7ba-4e82-b476-26a26877adf6_205.json | 101 +++++++ ...94a6c-c7ba-4e82-b476-26a26877adf6_206.json | 98 +++++++ .../689b9d57-e4d5-4357-ad17-9c334609d79a.json | 113 -------- ...b9d57-e4d5-4357-ad17-9c334609d79a_102.json | 114 ++++++++ ...b9d57-e4d5-4357-ad17-9c334609d79a_103.json | 113 ++++++++ .../68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json | 111 -------- ...7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json | 113 ++++++++ ...7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json | 111 ++++++++ .../68d56fdc-7ffa-4419-8e95-81641bd6f845.json | 97 ------- ...56fdc-7ffa-4419-8e95-81641bd6f845_103.json | 98 +++++++ ...56fdc-7ffa-4419-8e95-81641bd6f845_104.json | 97 +++++++ .../6951f15e-533c-4a60-8014-a3c3ab851a1b.json | 88 ------- ...951f15e-533c-4a60-8014-a3c3ab851a1b_2.json | 91 +++++++ ...951f15e-533c-4a60-8014-a3c3ab851a1b_3.json | 88 +++++++ .../699e9fdb-b77c-4c01-995c-1c15019b9c43.json | 231 ---------------- ...e9fdb-b77c-4c01-995c-1c15019b9c43_103.json | 235 +++++++++++++++++ ...e9fdb-b77c-4c01-995c-1c15019b9c43_104.json | 230 ++++++++++++++++ ...e9fdb-b77c-4c01-995c-1c15019b9c43_204.json | 231 ++++++++++++++++ .../69c251fb-a5d6-4035-b5ec-40438bd829ff.json | 91 ------- ...251fb-a5d6-4035-b5ec-40438bd829ff_104.json | 92 +++++++ ...251fb-a5d6-4035-b5ec-40438bd829ff_105.json | 91 +++++++ .../69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json | 87 ------ ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json | 89 +++++++ ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json | 87 ++++++ .../6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json | 126 --------- ...ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json | 127 +++++++++ ...ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json | 126 +++++++++ .../6aace640-e631-4870-ba8e-5fdda09325db.json | 105 -------- ...ce640-e631-4870-ba8e-5fdda09325db_105.json | 106 ++++++++ ...ce640-e631-4870-ba8e-5fdda09325db_106.json | 105 ++++++++ .../6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json | 116 -------- ...4d470-9036-4cc0-a27c-6d90bbfe81ab_103.json | 117 +++++++++ ...4d470-9036-4cc0-a27c-6d90bbfe81ab_104.json | 116 ++++++++ .../6bed021a-0afb-461c-acbe-ffdb9574d3f3.json | 139 ---------- ...d021a-0afb-461c-acbe-ffdb9574d3f3_104.json | 143 ++++++++++ ...d021a-0afb-461c-acbe-ffdb9574d3f3_105.json | 138 ++++++++++ ...d021a-0afb-461c-acbe-ffdb9574d3f3_106.json | 139 ++++++++++ .../6cd1779c-560f-4b68-a8f1-11009b27fe63.json | 105 -------- ...1779c-560f-4b68-a8f1-11009b27fe63_102.json | 105 ++++++++ ...1779c-560f-4b68-a8f1-11009b27fe63_103.json | 105 ++++++++ .../6d448b96-c922-4adb-b51c-b767f1ea5b76.json | 63 ----- ...48b96-c922-4adb-b51c-b767f1ea5b76_104.json | 64 +++++ ...48b96-c922-4adb-b51c-b767f1ea5b76_105.json | 64 +++++ ...48b96-c922-4adb-b51c-b767f1ea5b76_106.json | 63 +++++ .../6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json | 99 ------- ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json | 100 +++++++ ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json | 99 +++++++ .../6e40d56f-5c0e-4ac6-aece-bee96645b172.json | 78 ------ ...0d56f-5c0e-4ac6-aece-bee96645b172_102.json | 79 ++++++ ...0d56f-5c0e-4ac6-aece-bee96645b172_103.json | 79 ++++++ ...0d56f-5c0e-4ac6-aece-bee96645b172_104.json | 78 ++++++ .../6e9130a5-9be6-48e5-943a-9628bfc74b18.json | 76 ------ ...130a5-9be6-48e5-943a-9628bfc74b18_103.json | 81 ++++++ ...130a5-9be6-48e5-943a-9628bfc74b18_104.json | 76 ++++++ ...130a5-9be6-48e5-943a-9628bfc74b18_105.json | 76 ++++++ .../6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json | 102 ------- ...b351e-a531-4bdc-b73e-7034d6eed7ff_102.json | 103 ++++++++ ...b351e-a531-4bdc-b73e-7034d6eed7ff_103.json | 102 +++++++ .../6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json | 115 -------- ...41894-66c3-4df7-ad6b-2c5074eb3df8_102.json | 116 ++++++++ ...41894-66c3-4df7-ad6b-2c5074eb3df8_103.json | 116 ++++++++ ...41894-66c3-4df7-ad6b-2c5074eb3df8_104.json | 115 ++++++++ .../6ea55c81-e2ba-42f2-a134-bccf857ba922.json | 98 ------- ...55c81-e2ba-42f2-a134-bccf857ba922_104.json | 99 +++++++ ...55c81-e2ba-42f2-a134-bccf857ba922_105.json | 98 +++++++ .../6f435062-b7fc-4af9-acea-5b1ead65c5a5.json | 86 ------ ...35062-b7fc-4af9-acea-5b1ead65c5a5_203.json | 87 ++++++ ...35062-b7fc-4af9-acea-5b1ead65c5a5_204.json | 88 +++++++ ...35062-b7fc-4af9-acea-5b1ead65c5a5_205.json | 86 ++++++ .../7024e2a0-315d-4334-bb1a-441c593e16ab.json | 96 ------- ...4e2a0-315d-4334-bb1a-441c593e16ab_105.json | 98 +++++++ ...4e2a0-315d-4334-bb1a-441c593e16ab_106.json | 96 +++++++ .../7024e2a0-315d-4334-bb1a-552d604f27bc.json | 91 ------- ...4e2a0-315d-4334-bb1a-552d604f27bc_105.json | 94 +++++++ ...4e2a0-315d-4334-bb1a-552d604f27bc_106.json | 91 +++++++ .../70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json | 115 -------- ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json | 116 ++++++++ ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json | 115 ++++++++ .../70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json | 110 -------- ...a1af4-27fd-4f26-bd03-50b6af6b9e24_102.json | 111 ++++++++ ...a1af4-27fd-4f26-bd03-50b6af6b9e24_103.json | 110 ++++++++ .../7164081a-3930-11ed-a261-0242ac120002.json | 109 -------- ...164081a-3930-11ed-a261-0242ac120002_2.json | 111 ++++++++ ...164081a-3930-11ed-a261-0242ac120002_3.json | 109 ++++++++ .../717f82c2-7741-4f9b-85b8-d06aeb853f4f.json | 93 ------- ...f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json | 89 +++++++ ...f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json | 88 +++++++ ...f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json | 93 +++++++ .../71bccb61-e19b-452f-b104-79a60e546a95.json | 96 ------- ...ccb61-e19b-452f-b104-79a60e546a95_105.json | 97 +++++++ ...ccb61-e19b-452f-b104-79a60e546a95_106.json | 97 +++++++ ...ccb61-e19b-452f-b104-79a60e546a95_107.json | 97 +++++++ ...ccb61-e19b-452f-b104-79a60e546a95_108.json | 96 +++++++ ...ccb61-e19b-452f-b104-79a60e546a95_109.json | 96 +++++++ .../71c5cb27-eca5-4151-bb47-64bc3f883270.json | 98 ------- ...5cb27-eca5-4151-bb47-64bc3f883270_102.json | 99 +++++++ ...5cb27-eca5-4151-bb47-64bc3f883270_103.json | 98 +++++++ .../721999d0-7ab2-44bf-b328-6e63367b9b29.json | 90 ------- ...999d0-7ab2-44bf-b328-6e63367b9b29_101.json | 92 +++++++ ...999d0-7ab2-44bf-b328-6e63367b9b29_102.json | 90 +++++++ .../729aa18d-06a6-41c7-b175-b65b739b1181.json | 75 ------ ...aa18d-06a6-41c7-b175-b65b739b1181_102.json | 77 ++++++ ...aa18d-06a6-41c7-b175-b65b739b1181_103.json | 75 ++++++ .../7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json | 128 --------- ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json | 129 +++++++++ ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json | 129 +++++++++ ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json | 128 +++++++++ .../7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json | 96 ------- ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json | 97 +++++++ ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json | 96 +++++++ .../745b0119-0560-43ba-860a-7235dd8cee8d.json | 53 ---- ...b0119-0560-43ba-860a-7235dd8cee8d_102.json | 53 ++++ ...b0119-0560-43ba-860a-7235dd8cee8d_103.json | 53 ++++ .../746edc4c-c54c-49c6-97a1-651223819448.json | 57 ---- ...edc4c-c54c-49c6-97a1-651223819448_101.json | 59 +++++ ...edc4c-c54c-49c6-97a1-651223819448_102.json | 57 ++++ .../7592c127-89fb-4209-a8f6-f9944dfd7e02.json | 71 ----- ...592c127-89fb-4209-a8f6-f9944dfd7e02_1.json | 71 +++++ .../75ee75d8-c180-481c-ba88-ee50129a6aef.json | 46 ---- ...e75d8-c180-481c-ba88-ee50129a6aef_101.json | 47 ++++ ...e75d8-c180-481c-ba88-ee50129a6aef_102.json | 46 ++++ .../76152ca1-71d0-4003-9e37-0983e12832da.json | 79 ------ ...52ca1-71d0-4003-9e37-0983e12832da_101.json | 80 ++++++ ...52ca1-71d0-4003-9e37-0983e12832da_102.json | 79 ++++++ .../764c8437-a581-4537-8060-1fdb0e92c92d.json | 108 -------- ...c8437-a581-4537-8060-1fdb0e92c92d_201.json | 110 ++++++++ ...c8437-a581-4537-8060-1fdb0e92c92d_202.json | 108 ++++++++ .../764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json | 95 ------- ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json | 100 +++++++ ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json | 95 +++++++ ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json | 95 +++++++ .../766d3f91-3f12-448c-b65f-20123e9e9e8c.json | 88 ------- ...d3f91-3f12-448c-b65f-20123e9e9e8c_103.json | 89 +++++++ ...d3f91-3f12-448c-b65f-20123e9e9e8c_104.json | 88 +++++++ .../76ddb638-abf7-42d5-be22-4a70b0bf7241.json | 79 ------ ...db638-abf7-42d5-be22-4a70b0bf7241_103.json | 80 ++++++ ...db638-abf7-42d5-be22-4a70b0bf7241_104.json | 79 ++++++ .../76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json | 124 --------- ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json | 124 +++++++++ .../76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json | 84 ------ ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json | 85 ++++++ ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json | 84 ++++++ .../770e0c4d-b998-41e5-a62e-c7901fd7f470.json | 127 --------- ...e0c4d-b998-41e5-a62e-c7901fd7f470_104.json | 128 +++++++++ ...e0c4d-b998-41e5-a62e-c7901fd7f470_105.json | 127 +++++++++ .../774f5e28-7b75-4a58-b94e-41bf060fdd86.json | 73 ------ ...f5e28-7b75-4a58-b94e-41bf060fdd86_101.json | 75 ++++++ ...f5e28-7b75-4a58-b94e-41bf060fdd86_102.json | 73 ++++++ .../77a3c3df-8ec4-4da4-b758-878f551dee69.json | 50 ---- ...3c3df-8ec4-4da4-b758-878f551dee69_101.json | 51 ++++ ...3c3df-8ec4-4da4-b758-878f551dee69_102.json | 50 ++++ .../781f8746-2180-4691-890c-4c96d11ca91d.json | 99 ------- ...81f8746-2180-4691-890c-4c96d11ca91d_1.json | 99 +++++++ .../785a404b-75aa-4ffd-8be5-3334a5a544dd.json | 80 ------ ...a404b-75aa-4ffd-8be5-3334a5a544dd_203.json | 82 ++++++ ...a404b-75aa-4ffd-8be5-3334a5a544dd_204.json | 83 ++++++ ...a404b-75aa-4ffd-8be5-3334a5a544dd_205.json | 80 ++++++ .../7882cebf-6cf1-4de3-9662-213aa13e8b80.json | 93 ------- ...2cebf-6cf1-4de3-9662-213aa13e8b80_104.json | 95 +++++++ ...2cebf-6cf1-4de3-9662-213aa13e8b80_105.json | 93 +++++++ .../78d3d8d9-b476-451d-a9e0-7a5addd70670.json | 38 --- ...3d8d9-b476-451d-a9e0-7a5addd70670_104.json | 39 +++ ...3d8d9-b476-451d-a9e0-7a5addd70670_105.json | 38 +++ .../78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json | 97 ------- ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json | 98 +++++++ ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json | 97 +++++++ .../792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json | 88 ------- ...dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json | 91 +++++++ ...dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json | 88 +++++++ .../79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json | 107 -------- ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json | 108 ++++++++ ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json | 107 ++++++++ .../79f97b31-480e-4e63-a7f4-ede42bf2c6de.json | 100 ------- ...97b31-480e-4e63-a7f4-ede42bf2c6de_104.json | 105 ++++++++ ...97b31-480e-4e63-a7f4-ede42bf2c6de_105.json | 100 +++++++ ...97b31-480e-4e63-a7f4-ede42bf2c6de_106.json | 100 +++++++ .../7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json | 93 ------- ...da11a-60a2-412e-8aa7-011e1eb9ed47_102.json | 96 +++++++ ...da11a-60a2-412e-8aa7-011e1eb9ed47_103.json | 93 +++++++ .../7b8bfc26-81d2-435e-965c-d722ee397ef1.json | 101 ------- ...bfc26-81d2-435e-965c-d722ee397ef1_104.json | 102 +++++++ ...bfc26-81d2-435e-965c-d722ee397ef1_105.json | 101 +++++++ .../7ba58110-ae13-439b-8192-357b0fcfa9d7.json | 99 ------- ...58110-ae13-439b-8192-357b0fcfa9d7_103.json | 100 +++++++ ...58110-ae13-439b-8192-357b0fcfa9d7_104.json | 99 +++++++ ...58110-ae13-439b-8192-357b0fcfa9d7_106.json | 99 +++++++ .../7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json | 81 ------ ...bb3ac-e533-41ad-a612-d6c3bf666aba_101.json | 82 ++++++ ...bb3ac-e533-41ad-a612-d6c3bf666aba_102.json | 81 ++++++ .../7caa8e60-2df0-11ed-b814-f661ea17fbce.json | 98 ------- ...a8e60-2df0-11ed-b814-f661ea17fbce_104.json | 100 +++++++ ...a8e60-2df0-11ed-b814-f661ea17fbce_105.json | 101 +++++++ ...a8e60-2df0-11ed-b814-f661ea17fbce_106.json | 98 +++++++ .../7ceb2216-47dd-4e64-9433-cddc99727623.json | 80 ------ ...b2216-47dd-4e64-9433-cddc99727623_103.json | 82 ++++++ ...b2216-47dd-4e64-9433-cddc99727623_104.json | 80 ++++++ .../7f370d54-c0eb-4270-ac5a-9a6020585dc6.json | 115 -------- ...70d54-c0eb-4270-ac5a-9a6020585dc6_103.json | 116 ++++++++ ...70d54-c0eb-4270-ac5a-9a6020585dc6_104.json | 115 ++++++++ .../7fb500fa-8e24-4bd1-9480-2a819352602c.json | 98 ------- ...fb500fa-8e24-4bd1-9480-2a819352602c_1.json | 99 +++++++ ...fb500fa-8e24-4bd1-9480-2a819352602c_2.json | 98 +++++++ .../80084fa9-8677-4453-8680-b891d3c0c778.json | 75 ------ ...0084fa9-8677-4453-8680-b891d3c0c778_1.json | 75 ++++++ .../809b70d3-e2c3-455e-af1b-2626a5a1a276.json | 38 --- ...b70d3-e2c3-455e-af1b-2626a5a1a276_104.json | 39 +++ ...b70d3-e2c3-455e-af1b-2626a5a1a276_105.json | 38 +++ .../80c52164-c82a-402c-9964-852533d58be1.json | 74 ------ ...52164-c82a-402c-9964-852533d58be1_100.json | 75 ++++++ ...52164-c82a-402c-9964-852533d58be1_101.json | 74 ++++++ .../818e23e6-2094-4f0e-8c01-22d30f3506c6.json | 95 ------- ...e23e6-2094-4f0e-8c01-22d30f3506c6_104.json | 96 +++++++ ...e23e6-2094-4f0e-8c01-22d30f3506c6_105.json | 95 +++++++ .../81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json | 115 -------- ...e9dc6-a2d7-4192-a2d8-eed98afc766a_105.json | 111 ++++++++ ...e9dc6-a2d7-4192-a2d8-eed98afc766a_106.json | 116 ++++++++ ...e9dc6-a2d7-4192-a2d8-eed98afc766a_107.json | 115 ++++++++ .../81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json | 93 ------- ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json | 99 +++++++ ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json | 94 +++++++ ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json | 93 +++++++ .../827f8d8f-4117-4ae4-b551-f56d54b9da6b.json | 97 ------- ...f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json | 98 +++++++ ...f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json | 97 +++++++ .../83a1931d-8136-46fc-b7b9-2db4f639e014.json | 74 ------ ...1931d-8136-46fc-b7b9-2db4f639e014_101.json | 76 ++++++ ...1931d-8136-46fc-b7b9-2db4f639e014_102.json | 74 ++++++ .../83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json | 92 ------- ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json | 93 +++++++ ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json | 92 +++++++ .../84da2554-e12a-11ec-b896-f661ea17fbcd.json | 97 ------- ...a2554-e12a-11ec-b896-f661ea17fbcd_104.json | 98 +++++++ ...a2554-e12a-11ec-b896-f661ea17fbcd_105.json | 97 +++++++ .../850d901a-2a3c-46c6-8b22-55398a01aad8.json | 154 ----------- ...d901a-2a3c-46c6-8b22-55398a01aad8_105.json | 160 +++++++++++ ...d901a-2a3c-46c6-8b22-55398a01aad8_106.json | 155 +++++++++++ ...d901a-2a3c-46c6-8b22-55398a01aad8_107.json | 154 +++++++++++ .../852c1f19-68e8-43a6-9dce-340771fe1be3.json | 95 ------- ...c1f19-68e8-43a6-9dce-340771fe1be3_104.json | 109 ++++++++ ...c1f19-68e8-43a6-9dce-340771fe1be3_105.json | 109 ++++++++ ...c1f19-68e8-43a6-9dce-340771fe1be3_106.json | 108 ++++++++ ...c1f19-68e8-43a6-9dce-340771fe1be3_107.json | 95 +++++++ .../8623535c-1e17-44e1-aa97-7a0699c3037d.json | 97 ------- ...3535c-1e17-44e1-aa97-7a0699c3037d_102.json | 99 +++++++ ...3535c-1e17-44e1-aa97-7a0699c3037d_103.json | 97 +++++++ .../863cdf31-7fd3-41cf-a185-681237ea277b.json | 87 ------ ...cdf31-7fd3-41cf-a185-681237ea277b_102.json | 90 +++++++ ...cdf31-7fd3-41cf-a185-681237ea277b_103.json | 87 ++++++ .../867616ec-41e5-4edc-ada2-ab13ab45de8a.json | 87 ------ ...616ec-41e5-4edc-ada2-ab13ab45de8a_102.json | 90 +++++++ ...616ec-41e5-4edc-ada2-ab13ab45de8a_103.json | 87 ++++++ .../870aecc0-cea4-4110-af3f-e02e9b373655.json | 95 ------- ...aecc0-cea4-4110-af3f-e02e9b373655_103.json | 96 +++++++ ...aecc0-cea4-4110-af3f-e02e9b373655_104.json | 95 +++++++ .../871ea072-1b71-4def-b016-6278b505138d.json | 125 --------- ...ea072-1b71-4def-b016-6278b505138d_105.json | 126 +++++++++ ...ea072-1b71-4def-b016-6278b505138d_106.json | 125 +++++++++ .../87594192-4539-4bc4-8543-23bc3d5bd2b4.json | 86 ------ ...94192-4539-4bc4-8543-23bc3d5bd2b4_102.json | 90 +++++++ ...94192-4539-4bc4-8543-23bc3d5bd2b4_103.json | 86 ++++++ .../88671231-6626-4e1b-abb7-6e361a171fbb.json | 88 ------- ...71231-6626-4e1b-abb7-6e361a171fbb_101.json | 90 +++++++ ...71231-6626-4e1b-abb7-6e361a171fbb_102.json | 88 +++++++ .../88817a33-60d3-411f-ba79-7c905d865b2a.json | 86 ------ ...17a33-60d3-411f-ba79-7c905d865b2a_102.json | 87 ++++++ ...17a33-60d3-411f-ba79-7c905d865b2a_103.json | 86 ++++++ .../891cb88e-441a-4c3e-be2d-120d99fe7b0d.json | 98 ------- ...cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json | 99 +++++++ ...cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json | 98 +++++++ .../897dc6b5-b39f-432a-8d75-d3730d50c782.json | 107 -------- ...dc6b5-b39f-432a-8d75-d3730d50c782_104.json | 108 ++++++++ ...dc6b5-b39f-432a-8d75-d3730d50c782_105.json | 108 ++++++++ ...dc6b5-b39f-432a-8d75-d3730d50c782_106.json | 107 ++++++++ .../89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json | 108 -------- ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json | 107 ++++++++ ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json | 109 ++++++++ ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json | 108 ++++++++ .../89fa6cb7-6b53-4de2-b604-648488841ab8.json | 79 ------ ...a6cb7-6b53-4de2-b604-648488841ab8_102.json | 80 ++++++ ...a6cb7-6b53-4de2-b604-648488841ab8_103.json | 79 ++++++ .../8a1b0278-0f9a-487d-96bd-d4833298e87a.json | 67 ----- ...b0278-0f9a-487d-96bd-d4833298e87a_101.json | 68 +++++ ...b0278-0f9a-487d-96bd-d4833298e87a_102.json | 67 +++++ .../8a1d4831-3ce6-4859-9891-28931fa6101d.json | 136 ---------- ...d4831-3ce6-4859-9891-28931fa6101d_102.json | 137 ++++++++++ ...d4831-3ce6-4859-9891-28931fa6101d_103.json | 136 ++++++++++ .../8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json | 83 ------ ...c1e5f-ad63-481e-b53a-ef959230f7f1_102.json | 86 ++++++ ...c1e5f-ad63-481e-b53a-ef959230f7f1_103.json | 83 ++++++ .../8acb7614-1d92-4359-bfcf-478b6d9de150.json | 90 ------- ...b7614-1d92-4359-bfcf-478b6d9de150_103.json | 90 +++++++ ...b7614-1d92-4359-bfcf-478b6d9de150_104.json | 90 +++++++ .../8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json | 124 --------- ...b3a62-a598-4293-bc14-3d5fa22bb98f_103.json | 125 +++++++++ ...b3a62-a598-4293-bc14-3d5fa22bb98f_104.json | 124 +++++++++ .../8b4f0816-6a65-4630-86a6-c21c179c0d09.json | 96 ------- ...f0816-6a65-4630-86a6-c21c179c0d09_104.json | 97 +++++++ ...f0816-6a65-4630-86a6-c21c179c0d09_105.json | 96 +++++++ .../8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json | 87 ------ ...4d36a-1307-4b2e-a77b-a0027e4d27c8_101.json | 89 +++++++ ...4d36a-1307-4b2e-a77b-a0027e4d27c8_102.json | 87 ++++++ .../8c1bdde8-4204-45c0-9e0c-c85ca3902488.json | 113 -------- ...bdde8-4204-45c0-9e0c-c85ca3902488_100.json | 116 ++++++++ ...bdde8-4204-45c0-9e0c-c85ca3902488_101.json | 113 ++++++++ .../8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json | 96 ------- ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json | 96 +++++++ ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json | 96 +++++++ .../8c81e506-6e82-4884-9b9a-75d3d252f967.json | 125 --------- ...1e506-6e82-4884-9b9a-75d3d252f967_103.json | 126 +++++++++ ...1e506-6e82-4884-9b9a-75d3d252f967_104.json | 125 +++++++++ .../8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json | 55 ---- ...4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json | 56 ++++ ...4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json | 55 ++++ .../8cb84371-d053-4f4f-bce0-c74990e28f28.json | 98 ------- ...cb84371-d053-4f4f-bce0-c74990e28f28_4.json | 99 +++++++ ...cb84371-d053-4f4f-bce0-c74990e28f28_5.json | 98 +++++++ ...cb84371-d053-4f4f-bce0-c74990e28f28_6.json | 98 +++++++ .../8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json | 94 ------- ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json | 94 +++++++ ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json | 94 +++++++ .../8ddab73b-3d15-4e5d-9413-47f05553c1d7.json | 74 ------ ...ab73b-3d15-4e5d-9413-47f05553c1d7_101.json | 77 ++++++ ...ab73b-3d15-4e5d-9413-47f05553c1d7_102.json | 74 ++++++ .../8f3e91c7-d791-4704-80a1-42c160d7aa27.json | 114 -------- ...e91c7-d791-4704-80a1-42c160d7aa27_102.json | 115 ++++++++ ...e91c7-d791-4704-80a1-42c160d7aa27_103.json | 114 ++++++++ .../8f919d4b-a5af-47ca-a594-6be59cd924a4.json | 130 --------- ...19d4b-a5af-47ca-a594-6be59cd924a4_103.json | 131 +++++++++ ...19d4b-a5af-47ca-a594-6be59cd924a4_104.json | 130 +++++++++ .../8fb75dda-c47a-4e34-8ecd-34facf7aad13.json | 80 ------ ...75dda-c47a-4e34-8ecd-34facf7aad13_103.json | 82 ++++++ ...75dda-c47a-4e34-8ecd-34facf7aad13_104.json | 80 ++++++ .../90169566-2260-4824-b8e4-8615c3b4ed52.json | 84 ------ ...69566-2260-4824-b8e4-8615c3b4ed52_103.json | 85 ++++++ ...69566-2260-4824-b8e4-8615c3b4ed52_104.json | 84 ++++++ .../9055ece6-2689-4224-a0e0-b04881e1f8ad.json | 92 ------- ...5ece6-2689-4224-a0e0-b04881e1f8ad_102.json | 94 +++++++ ...5ece6-2689-4224-a0e0-b04881e1f8ad_103.json | 92 +++++++ .../9092cd6c-650f-4fa3-8a8a-28256c7489c9.json | 111 -------- ...2cd6c-650f-4fa3-8a8a-28256c7489c9_102.json | 112 ++++++++ ...2cd6c-650f-4fa3-8a8a-28256c7489c9_103.json | 111 ++++++++ .../9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json | 83 ------ ...0ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json | 86 ++++++ ...0ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json | 83 ++++++ .../91d04cd4-47a9-4334-ab14-084abe274d49.json | 90 ------- ...04cd4-47a9-4334-ab14-084abe274d49_102.json | 92 +++++++ ...04cd4-47a9-4334-ab14-084abe274d49_103.json | 90 +++++++ .../91f02f01-969f-4167-8d77-07827ac4cee0.json | 57 ---- ...02f01-969f-4167-8d77-07827ac4cee0_101.json | 59 +++++ ...02f01-969f-4167-8d77-07827ac4cee0_102.json | 57 ++++ .../91f02f01-969f-4167-8f55-07827ac3acc9.json | 57 ---- ...02f01-969f-4167-8f55-07827ac3acc9_101.json | 59 +++++ ...02f01-969f-4167-8f55-07827ac3acc9_102.json | 57 ++++ .../91f02f01-969f-4167-8f66-07827ac3bdd9.json | 50 ---- ...02f01-969f-4167-8f66-07827ac3bdd9_101.json | 52 ++++ ...02f01-969f-4167-8f66-07827ac3bdd9_102.json | 50 ++++ .../92984446-aefb-4d5e-ad12-598042ca80ba.json | 106 -------- ...2984446-aefb-4d5e-ad12-598042ca80ba_2.json | 107 ++++++++ ...2984446-aefb-4d5e-ad12-598042ca80ba_3.json | 106 ++++++++ ...2984446-aefb-4d5e-ad12-598042ca80ba_4.json | 106 ++++++++ .../92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json | 89 ------- ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json | 95 +++++++ ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json | 90 +++++++ ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json | 89 +++++++ .../93075852-b0f5-4b8b-89c3-a226efae5726.json | 112 -------- ...75852-b0f5-4b8b-89c3-a226efae5726_102.json | 114 ++++++++ ...75852-b0f5-4b8b-89c3-a226efae5726_103.json | 112 ++++++++ .../931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json | 79 ------ ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json | 80 ++++++ ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json | 79 ++++++ .../9395fd2c-9947-4472-86ef-4aceb2f7e872.json | 96 ------- ...5fd2c-9947-4472-86ef-4aceb2f7e872_105.json | 98 +++++++ ...5fd2c-9947-4472-86ef-4aceb2f7e872_106.json | 96 +++++++ .../93b22c0a-06a0-4131-b830-b10d5e166ff4.json | 119 --------- ...22c0a-06a0-4131-b830-b10d5e166ff4_104.json | 120 +++++++++ ...22c0a-06a0-4131-b830-b10d5e166ff4_105.json | 119 +++++++++ .../93c1ce76-494c-4f01-8167-35edfb52f7b1.json | 72 ----- ...1ce76-494c-4f01-8167-35edfb52f7b1_103.json | 73 ++++++ ...1ce76-494c-4f01-8167-35edfb52f7b1_104.json | 72 +++++ .../93e63c3e-4154-4fc6-9f86-b411e0987bbf.json | 86 ------ ...63c3e-4154-4fc6-9f86-b411e0987bbf_203.json | 88 +++++++ ...63c3e-4154-4fc6-9f86-b411e0987bbf_204.json | 89 +++++++ ...63c3e-4154-4fc6-9f86-b411e0987bbf_205.json | 86 ++++++ .../93f47b6f-5728-4004-ba00-625083b3dcb0.json | 107 -------- ...47b6f-5728-4004-ba00-625083b3dcb0_101.json | 108 ++++++++ ...47b6f-5728-4004-ba00-625083b3dcb0_102.json | 108 ++++++++ ...47b6f-5728-4004-ba00-625083b3dcb0_103.json | 107 ++++++++ .../94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json | 88 ------- ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json | 89 +++++++ ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json | 88 +++++++ .../9510add4-3392-11ed-bd01-f661ea17fbce.json | 92 ------- ...0add4-3392-11ed-bd01-f661ea17fbce_104.json | 94 +++++++ ...0add4-3392-11ed-bd01-f661ea17fbce_105.json | 95 +++++++ ...0add4-3392-11ed-bd01-f661ea17fbce_106.json | 92 +++++++ .../954ee7c8-5437-49ae-b2d6-2960883898e9.json | 129 --------- ...ee7c8-5437-49ae-b2d6-2960883898e9_104.json | 130 +++++++++ ...ee7c8-5437-49ae-b2d6-2960883898e9_105.json | 129 +++++++++ .../959a7353-1129-4aa7-9084-30746b256a70.json | 105 -------- ...a7353-1129-4aa7-9084-30746b256a70_105.json | 106 ++++++++ ...a7353-1129-4aa7-9084-30746b256a70_106.json | 105 ++++++++ .../968ccab9-da51-4a87-9ce2-d3c9782fd759.json | 98 ------- ...ccab9-da51-4a87-9ce2-d3c9782fd759_103.json | 99 +++++++ ...ccab9-da51-4a87-9ce2-d3c9782fd759_104.json | 99 +++++++ ...ccab9-da51-4a87-9ce2-d3c9782fd759_105.json | 98 +++++++ .../96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json | 74 ------ ...9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json | 77 ++++++ ...9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json | 74 ++++++ .../96d11d31-9a79-480f-8401-da28b194608f.json | 89 ------- ...6d11d31-9a79-480f-8401-da28b194608f_1.json | 90 +++++++ ...6d11d31-9a79-480f-8401-da28b194608f_2.json | 89 +++++++ .../96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json | 94 ------- ...90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json | 95 +++++++ ...90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json | 94 +++++++ .../97020e61-e591-4191-8a3b-2861a2b887cd.json | 92 ------- ...7020e61-e591-4191-8a3b-2861a2b887cd_3.json | 93 +++++++ ...7020e61-e591-4191-8a3b-2861a2b887cd_4.json | 92 +++++++ .../97314185-2568-4561-ae81-f3e480e5e695.json | 90 ------- ...14185-2568-4561-ae81-f3e480e5e695_101.json | 92 +++++++ ...14185-2568-4561-ae81-f3e480e5e695_102.json | 90 +++++++ .../97359fd8-757d-4b1d-9af1-ef29e4a8680e.json | 80 ------ ...59fd8-757d-4b1d-9af1-ef29e4a8680e_103.json | 83 ++++++ ...59fd8-757d-4b1d-9af1-ef29e4a8680e_104.json | 80 ++++++ .../979729e7-0c52-4c4c-b71e-88103304a79f.json | 109 -------- ...729e7-0c52-4c4c-b71e-88103304a79f_102.json | 111 ++++++++ ...729e7-0c52-4c4c-b71e-88103304a79f_103.json | 109 ++++++++ .../97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json | 80 ------ ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json | 82 ++++++ ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json | 80 ++++++ .../97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json | 90 ------- ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json | 91 +++++++ ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json | 90 +++++++ .../97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json | 85 ------ ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json | 86 ++++++ ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json | 85 ++++++ .../97fc44d3-8dae-4019-ae83-298c3015600f.json | 112 -------- ...c44d3-8dae-4019-ae83-298c3015600f_104.json | 104 ++++++++ ...c44d3-8dae-4019-ae83-298c3015600f_105.json | 104 ++++++++ ...c44d3-8dae-4019-ae83-298c3015600f_106.json | 113 ++++++++ ...c44d3-8dae-4019-ae83-298c3015600f_107.json | 112 ++++++++ .../980b70a0-c820-11ed-8799-f661ea17fbcc.json | 97 ------- ...80b70a0-c820-11ed-8799-f661ea17fbcc_1.json | 100 +++++++ ...80b70a0-c820-11ed-8799-f661ea17fbcc_2.json | 97 +++++++ .../9890ee61-d061-403d-9bf6-64934c51f638.json | 81 ------ ...0ee61-d061-403d-9bf6-64934c51f638_103.json | 83 ++++++ ...0ee61-d061-403d-9bf6-64934c51f638_104.json | 81 ++++++ .../98995807-5b09-4e37-8a54-5cae5dc932d7.json | 90 ------- ...95807-5b09-4e37-8a54-5cae5dc932d7_101.json | 92 +++++++ ...95807-5b09-4e37-8a54-5cae5dc932d7_102.json | 90 +++++++ .../98fd7407-0bd5-5817-cda0-3fcc33113a56.json | 84 ------ ...d7407-0bd5-5817-cda0-3fcc33113a56_105.json | 87 ++++++ ...d7407-0bd5-5817-cda0-3fcc33113a56_106.json | 84 ++++++ .../990838aa-a953-4f3e-b3cb-6ddf7584de9e.json | 74 ------ ...838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json | 75 ++++++ ...838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json | 74 ++++++ .../99239e7d-b0d4-46e3-8609-acafcf99f68c.json | 127 --------- ...39e7d-b0d4-46e3-8609-acafcf99f68c_102.json | 128 +++++++++ ...39e7d-b0d4-46e3-8609-acafcf99f68c_103.json | 127 +++++++++ .../9960432d-9b26-409f-972b-839a959e79e2.json | 95 ------- ...0432d-9b26-409f-972b-839a959e79e2_103.json | 96 +++++++ ...0432d-9b26-409f-972b-839a959e79e2_104.json | 95 +++++++ ...0432d-9b26-409f-972b-839a959e79e2_106.json | 95 +++++++ .../99dcf974-6587-4f65-9252-d866a3fdfd9c.json | 53 ---- ...cf974-6587-4f65-9252-d866a3fdfd9c_102.json | 53 ++++ ...cf974-6587-4f65-9252-d866a3fdfd9c_103.json | 53 ++++ .../9a1a2dae-0b5f-4c3d-8305-a268d404c306.json | 89 ------- ...a2dae-0b5f-4c3d-8305-a268d404c306_101.json | 90 +++++++ ...a2dae-0b5f-4c3d-8305-a268d404c306_102.json | 89 +++++++ .../9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json | 117 --------- ...a3689-8ed1-4cdb-83fb-9506db54c61f_105.json | 117 +++++++++ ...a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json | 123 +++++++++ ...a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json | 122 +++++++++ .../9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json | 107 -------- ...b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json | 108 ++++++++ ...b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json | 107 ++++++++ .../9aa0e1f6-52ce-42e1-abb3-09657cee2698.json | 90 ------- ...0e1f6-52ce-42e1-abb3-09657cee2698_103.json | 91 +++++++ ...0e1f6-52ce-42e1-abb3-09657cee2698_104.json | 90 +++++++ .../9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json | 100 ------- ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json | 101 +++++++ ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json | 100 +++++++ .../9c260313-c811-4ec8-ab89-8f6530e0246c.json | 104 -------- ...60313-c811-4ec8-ab89-8f6530e0246c_103.json | 105 ++++++++ ...60313-c811-4ec8-ab89-8f6530e0246c_104.json | 104 ++++++++ .../9c865691-5599-447a-bac9-b3f2df5f9a9d.json | 133 ---------- ...c865691-5599-447a-bac9-b3f2df5f9a9d_4.json | 139 ++++++++++ ...c865691-5599-447a-bac9-b3f2df5f9a9d_5.json | 134 ++++++++++ ...c865691-5599-447a-bac9-b3f2df5f9a9d_6.json | 133 ++++++++++ .../9ccf3ce0-0057-440a-91f5-870c6ad39093.json | 126 --------- ...f3ce0-0057-440a-91f5-870c6ad39093_104.json | 127 +++++++++ ...f3ce0-0057-440a-91f5-870c6ad39093_105.json | 126 +++++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json | 109 -------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json | 110 ++++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json | 109 ++++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json | 104 -------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json | 105 ++++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json | 104 ++++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json | 96 ------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json | 97 +++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json | 97 +++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json | 96 +++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json | 110 -------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json | 111 ++++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json | 111 ++++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json | 110 ++++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json | 98 ------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json | 99 +++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json | 98 +++++++ .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json | 89 ------- ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json | 90 +++++++ ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json | 89 +++++++ .../9d19ece6-c20e-481a-90c5-ccca596537de.json | 91 ------- ...9ece6-c20e-481a-90c5-ccca596537de_102.json | 92 +++++++ ...9ece6-c20e-481a-90c5-ccca596537de_103.json | 91 +++++++ .../9d302377-d226-4e12-b54c-1906b5aec4f6.json | 58 ---- ...02377-d226-4e12-b54c-1906b5aec4f6_101.json | 59 +++++ ...02377-d226-4e12-b54c-1906b5aec4f6_102.json | 58 ++++ .../9f1c4ca3-44b5-481d-ba42-32dc215a2769.json | 79 ------ ...c4ca3-44b5-481d-ba42-32dc215a2769_103.json | 80 ++++++ ...c4ca3-44b5-481d-ba42-32dc215a2769_104.json | 79 ++++++ .../9f962927-1a4f-45f3-a57b-287f2c7029c1.json | 106 -------- ...62927-1a4f-45f3-a57b-287f2c7029c1_105.json | 111 ++++++++ ...62927-1a4f-45f3-a57b-287f2c7029c1_106.json | 106 ++++++++ ...62927-1a4f-45f3-a57b-287f2c7029c1_107.json | 106 ++++++++ .../9f9a2a82-93a8-4b1a-8778-1780895626d4.json | 89 ------- ...a2a82-93a8-4b1a-8778-1780895626d4_102.json | 90 +++++++ ...a2a82-93a8-4b1a-8778-1780895626d4_103.json | 89 +++++++ .../a00681e3-9ed6-447c-ab2c-be648821c622.json | 99 ------- ...681e3-9ed6-447c-ab2c-be648821c622_105.json | 88 +++++++ ...681e3-9ed6-447c-ab2c-be648821c622_205.json | 103 ++++++++ ...681e3-9ed6-447c-ab2c-be648821c622_206.json | 99 +++++++ .../a02cb68e-7c93-48d1-93b2-2c39023308eb.json | 94 ------- ...02cb68e-7c93-48d1-93b2-2c39023308eb_5.json | 95 +++++++ ...02cb68e-7c93-48d1-93b2-2c39023308eb_6.json | 90 +++++++ ...02cb68e-7c93-48d1-93b2-2c39023308eb_7.json | 89 +++++++ ...02cb68e-7c93-48d1-93b2-2c39023308eb_8.json | 94 +++++++ .../a10d3d9d-0f65-48f1-8b25-af175e2594f5.json | 80 ------ ...d3d9d-0f65-48f1-8b25-af175e2594f5_104.json | 82 ++++++ ...d3d9d-0f65-48f1-8b25-af175e2594f5_105.json | 80 ++++++ .../a13167f1-eec2-4015-9631-1fee60406dcf.json | 92 ------- ...167f1-eec2-4015-9631-1fee60406dcf_103.json | 93 +++++++ ...167f1-eec2-4015-9631-1fee60406dcf_104.json | 92 +++++++ .../a1329140-8de3-4445-9f87-908fb6d824f4.json | 90 ------- ...29140-8de3-4445-9f87-908fb6d824f4_103.json | 91 +++++++ ...29140-8de3-4445-9f87-908fb6d824f4_104.json | 90 +++++++ .../a16612dd-b30e-4d41-86a0-ebe70974ec00.json | 91 ------- ...612dd-b30e-4d41-86a0-ebe70974ec00_103.json | 92 +++++++ ...612dd-b30e-4d41-86a0-ebe70974ec00_104.json | 91 +++++++ .../a1699af0-8e1e-4ed0-8ec1-89783538a061.json | 83 ------ ...1699af0-8e1e-4ed0-8ec1-89783538a061_2.json | 84 ++++++ ...1699af0-8e1e-4ed0-8ec1-89783538a061_3.json | 83 ++++++ .../a17bcc91-297b-459b-b5ce-bc7460d8f82a.json | 88 ------- ...bcc91-297b-459b-b5ce-bc7460d8f82a_103.json | 91 +++++++ ...bcc91-297b-459b-b5ce-bc7460d8f82a_104.json | 88 +++++++ ...198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json | 64 +++++ ...198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json | 61 +++++ .../a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json | 100 ------- ...0375f-22c2-48c0-81a4-7c2d11cc6856_103.json | 101 +++++++ ...0375f-22c2-48c0-81a4-7c2d11cc6856_104.json | 100 +++++++ .../a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json | 82 ------ ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json | 82 ++++++ .../a22a09c2-2162-4df0-a356-9aacbeb56a04.json | 89 ------- ...a09c2-2162-4df0-a356-9aacbeb56a04_103.json | 90 +++++++ ...a09c2-2162-4df0-a356-9aacbeb56a04_104.json | 89 +++++++ .../a2795334-2499-11ed-9e1a-f661ea17fbce.json | 108 -------- ...95334-2499-11ed-9e1a-f661ea17fbce_104.json | 110 ++++++++ ...95334-2499-11ed-9e1a-f661ea17fbce_105.json | 111 ++++++++ ...95334-2499-11ed-9e1a-f661ea17fbce_106.json | 108 ++++++++ .../a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json | 113 -------- ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json | 114 ++++++++ ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json | 113 ++++++++ ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json | 113 ++++++++ .../a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json | 83 ------ ...a12f3-0d4e-4667-8b44-4230c63f3c75_103.json | 84 ++++++ ...a12f3-0d4e-4667-8b44-4230c63f3c75_104.json | 83 ++++++ .../a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json | 120 --------- ...7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json | 121 +++++++++ ...7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json | 120 +++++++++ .../a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json | 88 ------- ...326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json | 90 +++++++ ...326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json | 88 +++++++ .../a605c51a-73ad-406d-bf3a-f24cc41d5c97.json | 93 ------- ...5c51a-73ad-406d-bf3a-f24cc41d5c97_104.json | 95 +++++++ ...5c51a-73ad-406d-bf3a-f24cc41d5c97_105.json | 93 +++++++ .../a61809f3-fb5b-465c-8bff-23a8a068ac60.json | 124 --------- ...61809f3-fb5b-465c-8bff-23a8a068ac60_1.json | 124 +++++++++ .../a624863f-a70d-417f-a7d2-7a404638d47f.json | 119 --------- ...4863f-a70d-417f-a7d2-7a404638d47f_105.json | 120 +++++++++ ...4863f-a70d-417f-a7d2-7a404638d47f_106.json | 119 +++++++++ .../a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json | 84 ------ ...f4dd4-743e-4da8-8c03-3ebd753a6c90_102.json | 85 ++++++ ...f4dd4-743e-4da8-8c03-3ebd753a6c90_103.json | 84 ++++++ .../a7ccae7b-9d2c-44b2-a061-98e5946971fa.json | 105 -------- ...cae7b-9d2c-44b2-a061-98e5946971fa_104.json | 105 ++++++++ ...cae7b-9d2c-44b2-a061-98e5946971fa_105.json | 105 ++++++++ ...cae7b-9d2c-44b2-a061-98e5946971fa_106.json | 105 ++++++++ .../a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json | 102 ------- ...7bfa3-088e-4f13-b29e-3986e0e756b8_104.json | 103 ++++++++ ...7bfa3-088e-4f13-b29e-3986e0e756b8_105.json | 102 +++++++ .../a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json | 51 ---- ...a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json | 52 ++++ ...a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102.json | 51 ++++ .../a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json | 104 -------- ...8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json | 104 ++++++++ .../a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json | 90 ------- ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json | 92 +++++++ ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json | 90 +++++++ .../a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json | 88 ------- ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json | 90 +++++++ ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json | 91 +++++++ ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json | 88 +++++++ .../a9b05c3b-b304-4bf9-970d-acdfaef2944c.json | 86 ------ ...05c3b-b304-4bf9-970d-acdfaef2944c_102.json | 87 ++++++ ...05c3b-b304-4bf9-970d-acdfaef2944c_103.json | 86 ++++++ .../a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json | 68 ----- ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json | 72 +++++ ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json | 68 +++++ .../aa8007f0-d1df-49ef-8520-407857594827.json | 95 ------- ...007f0-d1df-49ef-8520-407857594827_103.json | 97 +++++++ ...007f0-d1df-49ef-8520-407857594827_104.json | 95 +++++++ .../aa895aea-b69c-4411-b110-8d7599634b30.json | 90 ------- ...95aea-b69c-4411-b110-8d7599634b30_104.json | 91 +++++++ ...95aea-b69c-4411-b110-8d7599634b30_105.json | 90 +++++++ .../aa9a274d-6b53-424d-ac5e-cb8ca4251650.json | 135 ---------- ...a274d-6b53-424d-ac5e-cb8ca4251650_104.json | 136 ++++++++++ ...a274d-6b53-424d-ac5e-cb8ca4251650_105.json | 136 ++++++++++ ...a274d-6b53-424d-ac5e-cb8ca4251650_106.json | 135 ++++++++++ ...a274d-6b53-424d-ac5e-cb8ca4251650_107.json | 135 ++++++++++ .../aab184d3-72b3-4639-b242-6597c99d8bca.json | 248 ------------------ ...ab184d3-72b3-4639-b242-6597c99d8bca_1.json | 248 ++++++++++++++++++ .../ab75c24b-2502-43a0-bf7c-e60e662c811e.json | 109 -------- ...5c24b-2502-43a0-bf7c-e60e662c811e_104.json | 110 ++++++++ ...5c24b-2502-43a0-bf7c-e60e662c811e_105.json | 110 ++++++++ ...5c24b-2502-43a0-bf7c-e60e662c811e_106.json | 109 ++++++++ .../abae61a8-c560-4dbd-acca-1e1438bff36b.json | 58 ---- ...e61a8-c560-4dbd-acca-1e1438bff36b_101.json | 59 +++++ ...e61a8-c560-4dbd-acca-1e1438bff36b_102.json | 58 ++++ .../ac412404-57a5-476f-858f-4e8fbb4f48d8.json | 100 ------- ...12404-57a5-476f-858f-4e8fbb4f48d8_103.json | 101 +++++++ ...12404-57a5-476f-858f-4e8fbb4f48d8_104.json | 100 +++++++ .../ac5012b8-8da8-440b-aaaf-aedafdea2dff.json | 99 ------- ...012b8-8da8-440b-aaaf-aedafdea2dff_105.json | 100 +++++++ ...012b8-8da8-440b-aaaf-aedafdea2dff_106.json | 99 +++++++ .../ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json | 38 --- ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json | 39 +++ ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json | 38 +++ .../ac96ceb8-4399-4191-af1d-4feeac1f1f46.json | 87 ------ ...6ceb8-4399-4191-af1d-4feeac1f1f46_105.json | 88 +++++++ ...6ceb8-4399-4191-af1d-4feeac1f1f46_106.json | 87 ++++++ .../acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json | 86 ------ ...c8bb9-2486-49a8-8779-45fb5f9a93ee_203.json | 87 ++++++ ...c8bb9-2486-49a8-8779-45fb5f9a93ee_204.json | 88 +++++++ ...c8bb9-2486-49a8-8779-45fb5f9a93ee_205.json | 86 ++++++ .../acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json | 135 ---------- ...611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json | 136 ++++++++++ ...611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json | 135 ++++++++++ .../ace1e989-a541-44df-93a8-a8b0591b63c0.json | 89 ------- ...1e989-a541-44df-93a8-a8b0591b63c0_103.json | 90 +++++++ ...1e989-a541-44df-93a8-a8b0591b63c0_104.json | 89 +++++++ .../acf738b5-b5b2-4acc-bad9-1e18ee234f40.json | 88 ------- ...738b5-b5b2-4acc-bad9-1e18ee234f40_102.json | 89 +++++++ ...738b5-b5b2-4acc-bad9-1e18ee234f40_103.json | 88 +++++++ .../ad0d2742-9a49-11ec-8d6b-acde48001122.json | 92 ------- ...d2742-9a49-11ec-8d6b-acde48001122_104.json | 93 +++++++ ...d2742-9a49-11ec-8d6b-acde48001122_105.json | 92 +++++++ .../ad3f2807-2b3e-47d7-b282-f84acbbe14be.json | 86 ------ ...f2807-2b3e-47d7-b282-f84acbbe14be_203.json | 87 ++++++ ...f2807-2b3e-47d7-b282-f84acbbe14be_204.json | 88 +++++++ ...f2807-2b3e-47d7-b282-f84acbbe14be_205.json | 86 ++++++ .../ad84d445-b1ce-4377-82d9-7c633f28bf9a.json | 90 ------- ...4d445-b1ce-4377-82d9-7c633f28bf9a_105.json | 91 +++++++ ...4d445-b1ce-4377-82d9-7c633f28bf9a_106.json | 91 +++++++ ...4d445-b1ce-4377-82d9-7c633f28bf9a_107.json | 90 +++++++ .../ad88231f-e2ab-491c-8fc6-64746da26cfe.json | 97 ------- ...8231f-e2ab-491c-8fc6-64746da26cfe_102.json | 98 +++++++ ...8231f-e2ab-491c-8fc6-64746da26cfe_103.json | 97 +++++++ .../adb961e0-cb74-42a0-af9e-29fc41f88f5f.json | 100 ------- ...961e0-cb74-42a0-af9e-29fc41f88f5f_105.json | 101 +++++++ ...961e0-cb74-42a0-af9e-29fc41f88f5f_106.json | 100 +++++++ .../ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json | 132 ---------- ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json | 133 ++++++++++ ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json | 132 ++++++++++ .../aebaa51f-2a91-4f6a-850b-b601db2293f4.json | 97 ------- ...ebaa51f-2a91-4f6a-850b-b601db2293f4_1.json | 97 +++++++ .../afcce5ad-65de-4ed2-8516-5e093d3ac99a.json | 124 --------- ...ce5ad-65de-4ed2-8516-5e093d3ac99a_103.json | 125 +++++++++ ...ce5ad-65de-4ed2-8516-5e093d3ac99a_104.json | 124 +++++++++ .../b0046934-486e-462f-9487-0d4cf9e429c6.json | 87 ------ ...46934-486e-462f-9487-0d4cf9e429c6_101.json | 88 +++++++ ...46934-486e-462f-9487-0d4cf9e429c6_102.json | 87 ++++++ .../b00bcd89-000c-4425-b94c-716ef67762f6.json | 85 ------ ...bcd89-000c-4425-b94c-716ef67762f6_102.json | 86 ++++++ ...bcd89-000c-4425-b94c-716ef67762f6_103.json | 85 ++++++ .../b240bfb8-26b7-4e5e-924e-218144a3fa71.json | 32 --- ...0bfb8-26b7-4e5e-924e-218144a3fa71_101.json | 34 +++ ...0bfb8-26b7-4e5e-924e-218144a3fa71_102.json | 32 +++ .../b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json | 94 ------- ...a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json | 95 +++++++ ...a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json | 95 +++++++ ...a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json | 94 +++++++ .../b2951150-658f-4a60-832f-a00d1e6c6745.json | 90 ------- ...51150-658f-4a60-832f-a00d1e6c6745_101.json | 92 +++++++ ...51150-658f-4a60-832f-a00d1e6c6745_102.json | 90 +++++++ .../b29ee2be-bf99-446c-ab1a-2dc0183394b8.json | 119 --------- ...ee2be-bf99-446c-ab1a-2dc0183394b8_102.json | 118 +++++++++ ...ee2be-bf99-446c-ab1a-2dc0183394b8_103.json | 120 +++++++++ ...ee2be-bf99-446c-ab1a-2dc0183394b8_104.json | 119 +++++++++ .../b347b919-665f-4aac-b9e8-68369bf2340c.json | 55 ---- ...7b919-665f-4aac-b9e8-68369bf2340c_101.json | 56 ++++ ...7b919-665f-4aac-b9e8-68369bf2340c_102.json | 55 ++++ .../b41a13c6-ba45-4bab-a534-df53d0cfed6a.json | 85 ------ ...a13c6-ba45-4bab-a534-df53d0cfed6a_104.json | 86 ++++++ ...a13c6-ba45-4bab-a534-df53d0cfed6a_105.json | 85 ++++++ .../b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json | 97 ------- ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json | 102 +++++++ ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json | 98 +++++++ ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json | 97 +++++++ .../b4449455-f986-4b5a-82ed-e36b129331f7.json | 90 ------- ...49455-f986-4b5a-82ed-e36b129331f7_102.json | 91 +++++++ ...49455-f986-4b5a-82ed-e36b129331f7_103.json | 90 +++++++ .../b45ab1d2-712f-4f01-a751-df3826969807.json | 112 -------- ...ab1d2-712f-4f01-a751-df3826969807_102.json | 114 ++++++++ ...ab1d2-712f-4f01-a751-df3826969807_103.json | 112 ++++++++ .../b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json | 82 ------ ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json | 86 ++++++ ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json | 82 ++++++ .../b5877334-677f-4fb9-86d5-a9721274223b.json | 103 -------- ...77334-677f-4fb9-86d5-a9721274223b_104.json | 104 ++++++++ ...77334-677f-4fb9-86d5-a9721274223b_105.json | 103 ++++++++ .../b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json | 91 ------- ...a4bfe-a1b2-421f-9d47-22a75a6f2921_105.json | 92 +++++++ ...a4bfe-a1b2-421f-9d47-22a75a6f2921_106.json | 91 +++++++ .../b627cd12-dac4-11ec-9582-f661ea17fbcd.json | 86 ------ ...7cd12-dac4-11ec-9582-f661ea17fbcd_101.json | 87 ++++++ ...7cd12-dac4-11ec-9582-f661ea17fbcd_102.json | 86 ++++++ ...7cd12-dac4-11ec-9582-f661ea17fbcd_103.json | 86 ++++++ .../b64b183e-1a76-422d-9179-7b389513e74d.json | 145 ---------- ...b183e-1a76-422d-9179-7b389513e74d_104.json | 146 +++++++++++ ...b183e-1a76-422d-9179-7b389513e74d_105.json | 145 ++++++++++ .../b6dce542-2b75-4ffb-b7d6-38787298ba9d.json | 95 ------- ...ce542-2b75-4ffb-b7d6-38787298ba9d_102.json | 97 +++++++ ...ce542-2b75-4ffb-b7d6-38787298ba9d_103.json | 95 +++++++ .../b719a170-3bdb-4141-b0e3-13e3cf627bfe.json | 82 ------ ...9a170-3bdb-4141-b0e3-13e3cf627bfe_102.json | 86 ++++++ ...9a170-3bdb-4141-b0e3-13e3cf627bfe_103.json | 82 ++++++ .../b8075894-0b62-46e5-977c-31275da34419.json | 75 ------ ...75894-0b62-46e5-977c-31275da34419_102.json | 78 ++++++ ...75894-0b62-46e5-977c-31275da34419_103.json | 75 ++++++ .../b8386923-b02c-4b94-986a-d223d9b01f88.json | 114 -------- ...8386923-b02c-4b94-986a-d223d9b01f88_2.json | 115 ++++++++ ...8386923-b02c-4b94-986a-d223d9b01f88_3.json | 114 ++++++++ .../b83a7e96-2eb3-4edf-8346-427b6858d3bd.json | 96 ------- ...a7e96-2eb3-4edf-8346-427b6858d3bd_103.json | 97 +++++++ ...a7e96-2eb3-4edf-8346-427b6858d3bd_104.json | 96 +++++++ .../b86afe07-0d98-4738-b15d-8d7465f95ff5.json | 88 ------- ...afe07-0d98-4738-b15d-8d7465f95ff5_102.json | 89 +++++++ ...afe07-0d98-4738-b15d-8d7465f95ff5_103.json | 88 +++++++ .../b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json | 105 -------- ...cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json | 106 ++++++++ ...cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json | 105 ++++++++ .../b910f25a-2d44-47f2-a873-aabdc0d355e6.json | 88 ------- ...0f25a-2d44-47f2-a873-aabdc0d355e6_103.json | 89 +++++++ ...0f25a-2d44-47f2-a873-aabdc0d355e6_104.json | 88 +++++++ ...0f25a-2d44-47f2-a873-aabdc0d355e6_105.json | 88 +++++++ .../b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json | 56 ---- ...946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json | 57 ++++ ...946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json | 56 ++++ .../b9554892-5e0e-424b-83a0-5aef95aa43bf.json | 91 ------- ...54892-5e0e-424b-83a0-5aef95aa43bf_105.json | 96 +++++++ ...54892-5e0e-424b-83a0-5aef95aa43bf_106.json | 91 +++++++ ...54892-5e0e-424b-83a0-5aef95aa43bf_107.json | 91 +++++++ .../b9666521-4742-49ce-9ddc-b8e84c35acae.json | 103 -------- ...66521-4742-49ce-9ddc-b8e84c35acae_102.json | 104 ++++++++ ...66521-4742-49ce-9ddc-b8e84c35acae_103.json | 103 ++++++++ .../b9960fef-82c6-4816-befa-44745030e917.json | 117 --------- ...60fef-82c6-4816-befa-44745030e917_103.json | 118 +++++++++ ...60fef-82c6-4816-befa-44745030e917_104.json | 117 +++++++++ .../ba342eb2-583c-439f-b04d-1fdd7c1417cc.json | 37 --- ...42eb2-583c-439f-b04d-1fdd7c1417cc_101.json | 38 +++ ...42eb2-583c-439f-b04d-1fdd7c1417cc_102.json | 37 +++ .../baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json | 99 ------- ...5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json | 100 +++++++ ...5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json | 99 +++++++ .../bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json | 102 ------- ...fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json | 104 ++++++++ ...fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json | 102 +++++++ .../bb9b13b2-1700-48a8-a750-b43b0a72ab69.json | 95 ------- ...b13b2-1700-48a8-a750-b43b0a72ab69_102.json | 98 +++++++ ...b13b2-1700-48a8-a750-b43b0a72ab69_103.json | 95 +++++++ .../bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json | 83 ------ ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json | 86 ++++++ ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json | 83 ++++++ .../bbaa96b9-f36c-4898-ace2-581acb00a409.json | 105 -------- ...baa96b9-f36c-4898-ace2-581acb00a409_1.json | 105 ++++++++ .../bbd1a775-8267-41fa-9232-20e5582596ac.json | 93 ------- ...1a775-8267-41fa-9232-20e5582596ac_101.json | 96 +++++++ ...1a775-8267-41fa-9232-20e5582596ac_102.json | 93 +++++++ .../bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json | 98 ------- ...c6f0d-dab0-47a3-b135-0925f0a333bc_105.json | 100 +++++++ ...c6f0d-dab0-47a3-b135-0925f0a333bc_106.json | 98 +++++++ .../bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json | 74 ------ ...f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json | 77 ++++++ ...f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json | 74 ++++++ .../bc1eeacf-2972-434f-b782-3a532b100d67.json | 99 ------- ...eeacf-2972-434f-b782-3a532b100d67_102.json | 100 +++++++ ...eeacf-2972-434f-b782-3a532b100d67_103.json | 99 +++++++ .../bc48bba7-4a23-4232-b551-eca3ca1e3f20.json | 81 ------ ...8bba7-4a23-4232-b551-eca3ca1e3f20_101.json | 83 ++++++ ...8bba7-4a23-4232-b551-eca3ca1e3f20_102.json | 81 ++++++ .../bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json | 91 ------- ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json | 92 +++++++ ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json | 91 +++++++ .../bca7d28e-4a48-47b1-adb7-5074310e9a61.json | 80 ------ ...7d28e-4a48-47b1-adb7-5074310e9a61_103.json | 82 ++++++ ...7d28e-4a48-47b1-adb7-5074310e9a61_104.json | 80 ++++++ .../bd2c86a0-8b61-4457-ab38-96943984e889.json | 113 -------- ...c86a0-8b61-4457-ab38-96943984e889_105.json | 114 ++++++++ ...c86a0-8b61-4457-ab38-96943984e889_106.json | 113 ++++++++ ...c86a0-8b61-4457-ab38-96943984e889_107.json | 113 ++++++++ .../bd7eefee-f671-494e-98df-f01daf9e5f17.json | 82 ------ ...eefee-f671-494e-98df-f01daf9e5f17_102.json | 82 ++++++ ...eefee-f671-494e-98df-f01daf9e5f17_103.json | 82 ++++++ .../bdcf646b-08d4-492c-870a-6c04e3700034.json | 111 -------- ...f646b-08d4-492c-870a-6c04e3700034_103.json | 115 ++++++++ ...f646b-08d4-492c-870a-6c04e3700034_104.json | 110 ++++++++ ...f646b-08d4-492c-870a-6c04e3700034_105.json | 111 ++++++++ .../be8afaed-4bcd-4e0a-b5f9-5562003dde81.json | 107 -------- ...afaed-4bcd-4e0a-b5f9-5562003dde81_104.json | 108 ++++++++ ...afaed-4bcd-4e0a-b5f9-5562003dde81_105.json | 107 ++++++++ .../bf1073bf-ce26-4607-b405-ba1ed8e9e204.json | 93 ------- ...073bf-ce26-4607-b405-ba1ed8e9e204_102.json | 96 +++++++ ...073bf-ce26-4607-b405-ba1ed8e9e204_103.json | 93 +++++++ .../bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json | 154 ----------- ...af89b-a2a7-48a3-817f-e41829dc61ee_104.json | 145 ++++++++++ ...af89b-a2a7-48a3-817f-e41829dc61ee_105.json | 144 ++++++++++ ...af89b-a2a7-48a3-817f-e41829dc61ee_106.json | 154 +++++++++++ .../c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json | 102 ------- ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json | 103 ++++++++ ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json | 102 +++++++ .../c0429aa8-9974-42da-bfb6-53a0a515a145.json | 92 ------- ...29aa8-9974-42da-bfb6-53a0a515a145_103.json | 93 +++++++ ...29aa8-9974-42da-bfb6-53a0a515a145_104.json | 92 +++++++ .../c0be5f31-e180-48ed-aa08-96b36899d48f.json | 74 ------ ...e5f31-e180-48ed-aa08-96b36899d48f_100.json | 75 ++++++ ...e5f31-e180-48ed-aa08-96b36899d48f_101.json | 74 ++++++ .../c125e48f-6783-41f0-b100-c3bf1b114d16.json | 85 ------ ...125e48f-6783-41f0-b100-c3bf1b114d16_1.json | 86 ++++++ ...125e48f-6783-41f0-b100-c3bf1b114d16_2.json | 85 ++++++ .../c1812764-0788-470f-8e74-eb4a14d47573.json | 105 -------- ...12764-0788-470f-8e74-eb4a14d47573_102.json | 106 ++++++++ ...12764-0788-470f-8e74-eb4a14d47573_103.json | 105 ++++++++ .../c25e9c87-95e1-4368-bfab-9fd34cf867ec.json | 95 ------- ...e9c87-95e1-4368-bfab-9fd34cf867ec_104.json | 96 +++++++ ...e9c87-95e1-4368-bfab-9fd34cf867ec_105.json | 95 +++++++ .../c28c4d8c-f014-40ef-88b6-79a1d67cd499.json | 51 ---- ...c4d8c-f014-40ef-88b6-79a1d67cd499_101.json | 52 ++++ ...c4d8c-f014-40ef-88b6-79a1d67cd499_102.json | 51 ++++ .../c292fa52-4115-408a-b897-e14f684b3cb7.json | 109 -------- ...2fa52-4115-408a-b897-e14f684b3cb7_102.json | 110 ++++++++ ...2fa52-4115-408a-b897-e14f684b3cb7_103.json | 109 ++++++++ .../c2d90150-0133-451c-a783-533e736c12d7.json | 102 ------- ...90150-0133-451c-a783-533e736c12d7_103.json | 103 ++++++++ ...90150-0133-451c-a783-533e736c12d7_104.json | 102 +++++++ .../c3167e1b-f73c-41be-b60b-87f4df707fe3.json | 74 ------ ...67e1b-f73c-41be-b60b-87f4df707fe3_100.json | 75 ++++++ ...67e1b-f73c-41be-b60b-87f4df707fe3_101.json | 74 ++++++ .../c3b915e0-22f3-4bf7-991d-b643513c722f.json | 96 ------- ...915e0-22f3-4bf7-991d-b643513c722f_102.json | 97 +++++++ ...915e0-22f3-4bf7-991d-b643513c722f_103.json | 96 +++++++ .../c3f5e1d8-910e-43b4-8d44-d748e498ca86.json | 116 -------- ...5e1d8-910e-43b4-8d44-d748e498ca86_102.json | 116 ++++++++ ...5e1d8-910e-43b4-8d44-d748e498ca86_103.json | 116 ++++++++ .../c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json | 152 ----------- ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json | 153 +++++++++++ ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json | 152 +++++++++++ .../c4818812-d44f-47be-aaef-4cfb2f9cc799.json | 92 ------- ...18812-d44f-47be-aaef-4cfb2f9cc799_102.json | 92 +++++++ ...18812-d44f-47be-aaef-4cfb2f9cc799_103.json | 92 +++++++ .../c57f8579-e2a5-4804-847f-f2732edc5156.json | 109 -------- ...f8579-e2a5-4804-847f-f2732edc5156_103.json | 110 ++++++++ ...f8579-e2a5-4804-847f-f2732edc5156_104.json | 109 ++++++++ .../c58c3081-2e1d-4497-8491-e73a45d1a6d6.json | 87 ------ ...c3081-2e1d-4497-8491-e73a45d1a6d6_103.json | 90 +++++++ ...c3081-2e1d-4497-8491-e73a45d1a6d6_104.json | 87 ++++++ .../c5c9f591-d111-4cf8-baec-c26a39bc31ef.json | 113 -------- ...9f591-d111-4cf8-baec-c26a39bc31ef_103.json | 114 ++++++++ ...9f591-d111-4cf8-baec-c26a39bc31ef_104.json | 113 ++++++++ .../c5ce48a6-7f57-4ee8-9313-3d0024caee10.json | 97 ------- ...e48a6-7f57-4ee8-9313-3d0024caee10_103.json | 98 +++++++ ...e48a6-7f57-4ee8-9313-3d0024caee10_104.json | 97 +++++++ .../c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json | 108 -------- ...c3223-13a2-44a2-946c-e9dc0aa0449c_104.json | 109 ++++++++ ...c3223-13a2-44a2-946c-e9dc0aa0449c_105.json | 108 ++++++++ .../c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json | 89 ------- ...81243-56e0-47f9-b5bb-55a5ed89ba57_101.json | 91 +++++++ ...81243-56e0-47f9-b5bb-55a5ed89ba57_102.json | 89 +++++++ .../c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json | 95 ------- ...53e73-90eb-4fe7-a98c-cde7bbfc504a_104.json | 96 +++++++ ...53e73-90eb-4fe7-a98c-cde7bbfc504a_105.json | 96 +++++++ ...53e73-90eb-4fe7-a98c-cde7bbfc504a_106.json | 95 +++++++ .../c749e367-a069-4a73-b1f2-43a3798153ad.json | 83 ------ ...9e367-a069-4a73-b1f2-43a3798153ad_102.json | 86 ++++++ ...9e367-a069-4a73-b1f2-43a3798153ad_103.json | 83 ++++++ .../c74fd275-ab2c-4d49-8890-e2943fa65c09.json | 69 ----- ...fd275-ab2c-4d49-8890-e2943fa65c09_102.json | 73 ++++++ ...fd275-ab2c-4d49-8890-e2943fa65c09_103.json | 69 +++++ .../c7894234-7814-44c2-92a9-f7d851ea246a.json | 100 ------- ...94234-7814-44c2-92a9-f7d851ea246a_103.json | 101 +++++++ ...94234-7814-44c2-92a9-f7d851ea246a_104.json | 100 +++++++ .../c7908cac-337a-4f38-b50d-5eeb78bdb531.json | 107 -------- ...08cac-337a-4f38-b50d-5eeb78bdb531_201.json | 109 ++++++++ ...08cac-337a-4f38-b50d-5eeb78bdb531_202.json | 107 ++++++++ .../c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json | 101 ------- ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json | 101 +++++++ ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json | 101 +++++++ .../c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json | 33 --- ...b5533-ca2a-41f6-a8b0-ee98abe0f573_102.json | 35 +++ ...b5533-ca2a-41f6-a8b0-ee98abe0f573_103.json | 33 +++ .../c81cefcb-82b9-4408-a533-3c3df549e62d.json | 84 ------ ...cefcb-82b9-4408-a533-3c3df549e62d_102.json | 85 ++++++ ...cefcb-82b9-4408-a533-3c3df549e62d_103.json | 84 ++++++ .../c82b2bd8-d701-420c-ba43-f11a155b681a.json | 99 ------- ...b2bd8-d701-420c-ba43-f11a155b681a_100.json | 102 +++++++ ...b2bd8-d701-420c-ba43-f11a155b681a_101.json | 99 +++++++ .../c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json | 109 -------- ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json | 110 ++++++++ ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json | 110 ++++++++ ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json | 109 ++++++++ .../c85eb82c-d2c8-485c-a36f-534f914b7663.json | 90 ------- ...eb82c-d2c8-485c-a36f-534f914b7663_101.json | 91 +++++++ ...eb82c-d2c8-485c-a36f-534f914b7663_102.json | 90 +++++++ .../c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json | 129 --------- ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json | 130 +++++++++ ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json | 129 +++++++++ .../c8935a8b-634a-4449-98f7-bb24d3b2c0af.json | 99 ------- ...8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json | 90 +++++++ ...8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json | 89 +++++++ ...8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json | 99 +++++++ .../c8b150f0-0164-475b-a75e-74b47800a9ff.json | 81 ------ ...150f0-0164-475b-a75e-74b47800a9ff_104.json | 82 ++++++ ...150f0-0164-475b-a75e-74b47800a9ff_105.json | 82 ++++++ ...150f0-0164-475b-a75e-74b47800a9ff_106.json | 81 ++++++ .../c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json | 104 -------- ...ccb06-faf2-4cd5-886e-2c9636cfcb87_104.json | 105 ++++++++ ...ccb06-faf2-4cd5-886e-2c9636cfcb87_105.json | 104 ++++++++ .../c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json | 74 ------ ...38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json | 75 ++++++ ...38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json | 74 ++++++ .../ca79768e-40e1-4e45-a097-0e5fbc876ac2.json | 90 ------- ...9768e-40e1-4e45-a097-0e5fbc876ac2_101.json | 92 +++++++ ...9768e-40e1-4e45-a097-0e5fbc876ac2_102.json | 90 +++++++ .../ca98c7cf-a56e-4057-a4e8-39603f7f0389.json | 109 -------- ...a98c7cf-a56e-4057-a4e8-39603f7f0389_2.json | 110 ++++++++ ...a98c7cf-a56e-4057-a4e8-39603f7f0389_3.json | 109 ++++++++ .../cac91072-d165-11ec-a764-f661ea17fbce.json | 109 -------- ...91072-d165-11ec-a764-f661ea17fbce_105.json | 100 +++++++ ...91072-d165-11ec-a764-f661ea17fbce_106.json | 100 +++++++ ...91072-d165-11ec-a764-f661ea17fbce_107.json | 99 +++++++ ...91072-d165-11ec-a764-f661ea17fbce_207.json | 109 ++++++++ .../cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json | 91 ------- ...4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json | 94 +++++++ ...4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json | 91 +++++++ .../cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json | 89 ------- ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json | 90 +++++++ ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json | 89 +++++++ .../cc2fd2d0-ba3a-4939-b87f-2901764ed036.json | 91 ------- ...fd2d0-ba3a-4939-b87f-2901764ed036_102.json | 92 +++++++ ...fd2d0-ba3a-4939-b87f-2901764ed036_103.json | 91 +++++++ .../cc6a8a20-2df2-11ed-8378-f661ea17fbce.json | 98 ------- ...a8a20-2df2-11ed-8378-f661ea17fbce_104.json | 100 +++++++ ...a8a20-2df2-11ed-8378-f661ea17fbce_105.json | 101 +++++++ ...a8a20-2df2-11ed-8378-f661ea17fbce_106.json | 98 +++++++ .../cc89312d-6f47-48e4-a87c-4977bd4633c3.json | 80 ------ ...9312d-6f47-48e4-a87c-4977bd4633c3_103.json | 82 ++++++ ...9312d-6f47-48e4-a87c-4977bd4633c3_104.json | 80 ++++++ .../cc92c835-da92-45c9-9f29-b4992ad621a0.json | 83 ------ ...2c835-da92-45c9-9f29-b4992ad621a0_102.json | 86 ++++++ ...2c835-da92-45c9-9f29-b4992ad621a0_103.json | 83 ++++++ .../ccc55af4-9882-4c67-87b4-449a7ae8079c.json | 113 -------- ...55af4-9882-4c67-87b4-449a7ae8079c_103.json | 114 ++++++++ ...55af4-9882-4c67-87b4-449a7ae8079c_104.json | 113 ++++++++ .../cd16fb10-0261-46e8-9932-a0336278cdbe.json | 76 ------ ...6fb10-0261-46e8-9932-a0336278cdbe_102.json | 79 ++++++ ...6fb10-0261-46e8-9932-a0336278cdbe_103.json | 76 ++++++ .../cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json | 58 ---- ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json | 59 +++++ ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json | 58 ++++ .../cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json | 112 -------- ...6a5af-e34b-4bb0-8931-57d0a043f2ef_103.json | 114 ++++++++ ...6a5af-e34b-4bb0-8931-57d0a043f2ef_104.json | 112 ++++++++ .../cd89602e-9db0-48e3-9391-ae3bf241acd8.json | 75 ------ ...9602e-9db0-48e3-9391-ae3bf241acd8_102.json | 77 ++++++ ...9602e-9db0-48e3-9391-ae3bf241acd8_103.json | 75 ++++++ .../cdbebdc1-dc97-43c6-a538-f26a20c0a911.json | 67 ----- ...ebdc1-dc97-43c6-a538-f26a20c0a911_102.json | 70 +++++ ...ebdc1-dc97-43c6-a538-f26a20c0a911_103.json | 67 +++++ .../cde1bafa-9f01-4f43-a872-605b678968b0.json | 85 ------ ...de1bafa-9f01-4f43-a872-605b678968b0_2.json | 87 ++++++ ...de1bafa-9f01-4f43-a872-605b678968b0_3.json | 86 ++++++ ...de1bafa-9f01-4f43-a872-605b678968b0_4.json | 85 ++++++ .../ce64d965-6cb0-466d-b74f-8d2c76f47f05.json | 99 ------- ...4d965-6cb0-466d-b74f-8d2c76f47f05_103.json | 100 +++++++ ...4d965-6cb0-466d-b74f-8d2c76f47f05_104.json | 99 +++++++ .../cf53f532-9cc9-445a-9ae7-fced307ec53c.json | 69 ----- ...3f532-9cc9-445a-9ae7-fced307ec53c_102.json | 73 ++++++ ...3f532-9cc9-445a-9ae7-fced307ec53c_103.json | 69 +++++ .../cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json | 93 ------- ...49724-c577-4fd6-8f9b-d1b8ec519ec0_203.json | 95 +++++++ ...49724-c577-4fd6-8f9b-d1b8ec519ec0_204.json | 96 +++++++ ...49724-c577-4fd6-8f9b-d1b8ec519ec0_205.json | 93 +++++++ .../cff92c41-2225-4763-b4ce-6f71e5bda5e6.json | 121 --------- ...92c41-2225-4763-b4ce-6f71e5bda5e6_105.json | 122 +++++++++ ...92c41-2225-4763-b4ce-6f71e5bda5e6_106.json | 122 +++++++++ ...92c41-2225-4763-b4ce-6f71e5bda5e6_107.json | 121 +++++++++ .../d00f33e7-b57d-4023-9952-2db91b1767c4.json | 92 ------- ...00f33e7-b57d-4023-9952-2db91b1767c4_4.json | 93 +++++++ ...00f33e7-b57d-4023-9952-2db91b1767c4_5.json | 92 +++++++ .../d0e159cf-73e9-40d1-a9ed-077e3158a855.json | 88 ------- ...159cf-73e9-40d1-a9ed-077e3158a855_102.json | 89 +++++++ ...159cf-73e9-40d1-a9ed-077e3158a855_103.json | 89 +++++++ ...159cf-73e9-40d1-a9ed-077e3158a855_104.json | 88 +++++++ .../d117cbb4-7d56-41b4-b999-bdf8c25648a0.json | 101 ------- ...7cbb4-7d56-41b4-b999-bdf8c25648a0_104.json | 102 +++++++ ...7cbb4-7d56-41b4-b999-bdf8c25648a0_105.json | 101 +++++++ .../d22a85c6-d2ad-4cc4-bf7b-54787473669a.json | 81 ------ ...a85c6-d2ad-4cc4-bf7b-54787473669a_102.json | 82 ++++++ ...a85c6-d2ad-4cc4-bf7b-54787473669a_103.json | 81 ++++++ .../d31f183a-e5b1-451b-8534-ba62bca0b404.json | 120 --------- ...f183a-e5b1-451b-8534-ba62bca0b404_104.json | 121 +++++++++ ...f183a-e5b1-451b-8534-ba62bca0b404_105.json | 120 +++++++++ .../d331bbe2-6db4-4941-80a5-8270db72eb61.json | 98 ------- ...1bbe2-6db4-4941-80a5-8270db72eb61_105.json | 99 +++++++ ...1bbe2-6db4-4941-80a5-8270db72eb61_106.json | 98 +++++++ .../d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json | 123 --------- ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json | 129 +++++++++ ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json | 124 +++++++++ ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json | 123 +++++++++ .../d461fac0-43e8-49e2-85ea-3a58fe120b4f.json | 94 ------- ...1fac0-43e8-49e2-85ea-3a58fe120b4f_102.json | 95 +++++++ ...1fac0-43e8-49e2-85ea-3a58fe120b4f_103.json | 94 +++++++ .../d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json | 74 ------ ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json | 78 ++++++ ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json | 74 ++++++ .../d49cc73f-7a16-4def-89ce-9fc7127d7820.json | 46 ---- ...cc73f-7a16-4def-89ce-9fc7127d7820_101.json | 47 ++++ ...cc73f-7a16-4def-89ce-9fc7127d7820_102.json | 46 ++++ .../d4af3a06-1e0a-48ec-b96a-faf2309fae46.json | 51 ---- ...f3a06-1e0a-48ec-b96a-faf2309fae46_101.json | 52 ++++ ...f3a06-1e0a-48ec-b96a-faf2309fae46_102.json | 51 ++++ .../d4b73fa0-9d43-465e-b8bf-50230da6718b.json | 51 ---- ...73fa0-9d43-465e-b8bf-50230da6718b_101.json | 52 ++++ ...73fa0-9d43-465e-b8bf-50230da6718b_102.json | 51 ++++ .../d563aaba-2e72-462b-8658-3e5ea22db3a6.json | 82 ------ ...3aaba-2e72-462b-8658-3e5ea22db3a6_102.json | 83 ++++++ ...3aaba-2e72-462b-8658-3e5ea22db3a6_103.json | 82 ++++++ .../d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json | 82 ------ ...86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json | 86 ++++++ ...86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json | 82 ++++++ .../d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json | 139 ---------- ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json | 140 ++++++++++ ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json | 139 ++++++++++ .../d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json | 111 -------- ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json | 114 ++++++++ ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json | 111 ++++++++ .../d62b64a8-a7c9-43e5-aee3-15a725a794e7.json | 80 ------ ...b64a8-a7c9-43e5-aee3-15a725a794e7_104.json | 82 ++++++ ...b64a8-a7c9-43e5-aee3-15a725a794e7_105.json | 80 ++++++ .../d68e95ad-1c82-4074-a12a-125fe10ac8ba.json | 117 --------- ...68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json | 113 ++++++++ ...68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json | 118 +++++++++ ...68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json | 117 +++++++++ .../d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json | 90 ------- ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json | 92 +++++++ ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json | 90 +++++++ .../d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json | 109 -------- ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json | 110 ++++++++ ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json | 109 ++++++++ .../d72e33fc-6e91-42ff-ac8b-e573268c5a87.json | 114 -------- ...e33fc-6e91-42ff-ac8b-e573268c5a87_104.json | 115 ++++++++ ...e33fc-6e91-42ff-ac8b-e573268c5a87_105.json | 114 ++++++++ .../d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json | 89 ------- ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json | 91 +++++++ ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json | 89 +++++++ .../d75991f2-b989-419d-b797-ac1e54ec2d61.json | 86 ------ ...991f2-b989-419d-b797-ac1e54ec2d61_102.json | 87 ++++++ ...991f2-b989-419d-b797-ac1e54ec2d61_103.json | 86 ++++++ .../d76b02ef-fc95-4001-9297-01cb7412232f.json | 104 -------- ...b02ef-fc95-4001-9297-01cb7412232f_103.json | 86 ++++++ ...b02ef-fc95-4001-9297-01cb7412232f_104.json | 95 +++++++ ...b02ef-fc95-4001-9297-01cb7412232f_105.json | 94 +++++++ ...b02ef-fc95-4001-9297-01cb7412232f_106.json | 104 ++++++++ .../d79c4b2a-6134-4edd-86e6-564a92a933f9.json | 79 ------ ...c4b2a-6134-4edd-86e6-564a92a933f9_101.json | 81 ++++++ ...c4b2a-6134-4edd-86e6-564a92a933f9_102.json | 79 ++++++ .../d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json | 51 ---- ...5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json | 52 ++++ ...5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json | 51 ++++ .../d7e62693-aab9-4f66-a21a-3d79ecdd603d.json | 87 ------ ...62693-aab9-4f66-a21a-3d79ecdd603d_100.json | 90 +++++++ ...62693-aab9-4f66-a21a-3d79ecdd603d_101.json | 87 ++++++ .../d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json | 88 ------- ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json | 87 ++++++ ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json | 89 +++++++ ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json | 88 +++++++ .../d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json | 89 ------- ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json | 92 +++++++ ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json | 89 +++++++ .../d99a037b-c8e2-47a5-97b9-170d076827c4.json | 92 ------- ...a037b-c8e2-47a5-97b9-170d076827c4_104.json | 93 +++++++ ...a037b-c8e2-47a5-97b9-170d076827c4_105.json | 92 +++++++ .../da7733b1-fe08-487e-b536-0a04c6d8b0cd.json | 97 ------- ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json | 96 +++++++ ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json | 98 +++++++ ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json | 97 +++++++ .../da87eee1-129c-4661-a7aa-57d0b9645fad.json | 85 ------ ...a87eee1-129c-4661-a7aa-57d0b9645fad_4.json | 91 +++++++ ...a87eee1-129c-4661-a7aa-57d0b9645fad_5.json | 86 ++++++ ...a87eee1-129c-4661-a7aa-57d0b9645fad_6.json | 86 ++++++ ...a87eee1-129c-4661-a7aa-57d0b9645fad_7.json | 85 ++++++ .../daafdf96-e7b1-4f14-b494-27e0d24b11f6.json | 110 -------- ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json | 111 ++++++++ ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json | 110 ++++++++ .../dafa3235-76dc-40e2-9f71-1773b96d24cf.json | 74 ------ ...a3235-76dc-40e2-9f71-1773b96d24cf_104.json | 76 ++++++ ...a3235-76dc-40e2-9f71-1773b96d24cf_105.json | 74 ++++++ .../db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json | 86 ------ ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json | 87 ++++++ ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json | 86 ++++++ .../db8c33a8-03cd-4988-9e2c-d0a4863adb13.json | 81 ------ ...c33a8-03cd-4988-9e2c-d0a4863adb13_100.json | 82 ++++++ ...c33a8-03cd-4988-9e2c-d0a4863adb13_101.json | 81 ++++++ .../dc0b7782-0df0-47ff-8337-db0d678bdb66.json | 117 --------- ...c0b7782-0df0-47ff-8337-db0d678bdb66_1.json | 117 +++++++++ .../dc71c186-9fe4-4437-a4d0-85ebb32b8204.json | 78 ------ ...c71c186-9fe4-4437-a4d0-85ebb32b8204_1.json | 79 ++++++ ...c71c186-9fe4-4437-a4d0-85ebb32b8204_2.json | 78 ++++++ .../dc9c1f74-dac3-48e3-b47f-eb79db358f57.json | 91 ------- ...c1f74-dac3-48e3-b47f-eb79db358f57_104.json | 92 +++++++ ...c1f74-dac3-48e3-b47f-eb79db358f57_105.json | 91 +++++++ .../dca28dee-c999-400f-b640-50a081cc0fd1.json | 38 --- ...28dee-c999-400f-b640-50a081cc0fd1_104.json | 39 +++ ...28dee-c999-400f-b640-50a081cc0fd1_105.json | 38 +++ .../dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json | 91 ------- ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json | 92 +++++++ ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json | 91 +++++++ .../ddab1f5f-7089-44f5-9fda-de5b11322e77.json | 88 ------- ...b1f5f-7089-44f5-9fda-de5b11322e77_103.json | 89 +++++++ ...b1f5f-7089-44f5-9fda-de5b11322e77_104.json | 88 +++++++ .../de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json | 85 ------ ...bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json | 86 ++++++ ...bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json | 85 ++++++ .../debff20a-46bc-4a4d-bae5-5cdd14222795.json | 86 ------ ...ff20a-46bc-4a4d-bae5-5cdd14222795_103.json | 87 ++++++ ...ff20a-46bc-4a4d-bae5-5cdd14222795_104.json | 86 ++++++ .../df0fd41e-5590-4965-ad5e-cd079ec22fa9.json | 87 ------ ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json | 86 ++++++ ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json | 88 +++++++ ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json | 87 ++++++ .../df197323-72a8-46a9-a08e-3f5b04a4a97a.json | 58 ---- ...97323-72a8-46a9-a08e-3f5b04a4a97a_101.json | 59 +++++ ...97323-72a8-46a9-a08e-3f5b04a4a97a_102.json | 58 ++++ .../df26fd74-1baa-4479-b42e-48da84642330.json | 95 ------- ...6fd74-1baa-4479-b42e-48da84642330_101.json | 97 +++++++ ...6fd74-1baa-4479-b42e-48da84642330_102.json | 95 +++++++ .../df6f62d9-caab-4b88-affa-044f4395a1e0.json | 100 ------- ...f62d9-caab-4b88-affa-044f4395a1e0_102.json | 101 +++++++ ...f62d9-caab-4b88-affa-044f4395a1e0_103.json | 100 +++++++ .../df7fda76-c92b-4943-bc68-04460a5ea5ba.json | 108 -------- ...fda76-c92b-4943-bc68-04460a5ea5ba_201.json | 110 ++++++++ ...fda76-c92b-4943-bc68-04460a5ea5ba_202.json | 108 ++++++++ .../e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json | 87 ------ ...bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json | 89 +++++++ ...bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json | 87 ++++++ .../e052c845-48d0-4f46-8a13-7d0aba05df82.json | 99 ------- ...2c845-48d0-4f46-8a13-7d0aba05df82_103.json | 104 ++++++++ ...2c845-48d0-4f46-8a13-7d0aba05df82_104.json | 99 +++++++ ...2c845-48d0-4f46-8a13-7d0aba05df82_105.json | 99 +++++++ .../e0881d20-54ac-457f-8733-fe0bc5d44c55.json | 103 -------- ...0881d20-54ac-457f-8733-fe0bc5d44c55_2.json | 104 ++++++++ ...0881d20-54ac-457f-8733-fe0bc5d44c55_3.json | 103 ++++++++ .../e08ccd49-0380-4b2b-8d71-8000377d6e49.json | 80 ------ ...ccd49-0380-4b2b-8d71-8000377d6e49_102.json | 82 ++++++ ...ccd49-0380-4b2b-8d71-8000377d6e49_103.json | 80 ++++++ .../e0f36de1-0342-453d-95a9-a068b257b053.json | 89 ------- ...36de1-0342-453d-95a9-a068b257b053_101.json | 91 +++++++ ...36de1-0342-453d-95a9-a068b257b053_102.json | 89 +++++++ .../e12c0318-99b1-44f2-830c-3a38a43207ca.json | 84 ------ ...c0318-99b1-44f2-830c-3a38a43207ca_102.json | 87 ++++++ ...c0318-99b1-44f2-830c-3a38a43207ca_103.json | 84 ++++++ .../e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json | 99 ------- ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json | 101 +++++++ ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json | 99 +++++++ .../e19e64ee-130e-4c07-961f-8a339f0b8362.json | 86 ------ ...e64ee-130e-4c07-961f-8a339f0b8362_102.json | 87 ++++++ ...e64ee-130e-4c07-961f-8a339f0b8362_103.json | 86 ++++++ .../e2258f48-ba75-4248-951b-7c885edf18c2.json | 84 ------ ...2258f48-ba75-4248-951b-7c885edf18c2_1.json | 85 ++++++ ...2258f48-ba75-4248-951b-7c885edf18c2_2.json | 84 ++++++ .../e26aed74-c816-40d3-a810-48d6fbd8b2fd.json | 81 ------ ...aed74-c816-40d3-a810-48d6fbd8b2fd_102.json | 81 ++++++ ...aed74-c816-40d3-a810-48d6fbd8b2fd_103.json | 81 ++++++ .../e26f042e-c590-4e82-8e05-41e81bd822ad.json | 117 --------- ...f042e-c590-4e82-8e05-41e81bd822ad_105.json | 118 +++++++++ ...f042e-c590-4e82-8e05-41e81bd822ad_106.json | 118 +++++++++ ...f042e-c590-4e82-8e05-41e81bd822ad_107.json | 117 +++++++++ .../e2a67480-3b79-403d-96e3-fdd2992c50ef.json | 108 -------- ...67480-3b79-403d-96e3-fdd2992c50ef_105.json | 110 ++++++++ ...67480-3b79-403d-96e3-fdd2992c50ef_106.json | 108 ++++++++ .../e2e0537d-7d8f-4910-a11d-559bcf61295a.json | 91 ------- ...2e0537d-7d8f-4910-a11d-559bcf61295a_2.json | 92 +++++++ ...2e0537d-7d8f-4910-a11d-559bcf61295a_3.json | 91 +++++++ .../e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json | 93 ------- ...9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json | 94 +++++++ ...9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json | 93 +++++++ .../e2fb5b18-e33c-4270-851e-c3d675c9afcd.json | 80 ------ ...b5b18-e33c-4270-851e-c3d675c9afcd_103.json | 82 ++++++ ...b5b18-e33c-4270-851e-c3d675c9afcd_104.json | 80 ++++++ .../e3343ab9-4245-4715-b344-e11c56b0a47f.json | 118 --------- ...43ab9-4245-4715-b344-e11c56b0a47f_104.json | 119 +++++++++ ...43ab9-4245-4715-b344-e11c56b0a47f_105.json | 119 +++++++++ ...43ab9-4245-4715-b344-e11c56b0a47f_106.json | 118 +++++++++ .../e3c27562-709a-42bd-82f2-3ed926cced19.json | 87 ------ ...27562-709a-42bd-82f2-3ed926cced19_102.json | 89 +++++++ ...27562-709a-42bd-82f2-3ed926cced19_103.json | 87 ++++++ .../e3c5d5cb-41d5-4206-805c-f30561eae3ac.json | 55 ---- ...5d5cb-41d5-4206-805c-f30561eae3ac_100.json | 56 ++++ ...5d5cb-41d5-4206-805c-f30561eae3ac_101.json | 55 ++++ .../e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json | 88 ------- ...f38fa-d5b8-46cc-87f9-4a7513e4281d_102.json | 89 +++++++ ...f38fa-d5b8-46cc-87f9-4a7513e4281d_103.json | 88 +++++++ .../e3e904b3-0a8e-4e68-86a8-977a163e21d3.json | 90 ------- ...904b3-0a8e-4e68-86a8-977a163e21d3_103.json | 91 +++++++ ...904b3-0a8e-4e68-86a8-977a163e21d3_104.json | 90 +++++++ .../e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json | 83 ------ ...236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json | 86 ++++++ ...236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json | 83 ++++++ .../e4e31051-ee01-4307-a6ee-b21b186958f4.json | 136 ---------- ...31051-ee01-4307-a6ee-b21b186958f4_103.json | 141 ++++++++++ ...31051-ee01-4307-a6ee-b21b186958f4_104.json | 136 ++++++++++ ...31051-ee01-4307-a6ee-b21b186958f4_105.json | 136 ++++++++++ .../e514d8cd-ed15-4011-84e2-d15147e059f1.json | 93 ------- ...4d8cd-ed15-4011-84e2-d15147e059f1_105.json | 93 +++++++ ...4d8cd-ed15-4011-84e2-d15147e059f1_106.json | 93 +++++++ ...4d8cd-ed15-4011-84e2-d15147e059f1_107.json | 93 +++++++ .../e555105c-ba6d-481f-82bb-9b633e7b4827.json | 88 ------- ...5105c-ba6d-481f-82bb-9b633e7b4827_203.json | 90 +++++++ ...5105c-ba6d-481f-82bb-9b633e7b4827_204.json | 91 +++++++ ...5105c-ba6d-481f-82bb-9b633e7b4827_205.json | 88 +++++++ .../e6c1a552-7776-44ad-ae0f-8746cc07773c.json | 95 ------- ...1a552-7776-44ad-ae0f-8746cc07773c_101.json | 96 +++++++ ...1a552-7776-44ad-ae0f-8746cc07773c_102.json | 95 +++++++ .../e6c98d38-633d-4b3e-9387-42112cd5ac10.json | 97 ------- ...98d38-633d-4b3e-9387-42112cd5ac10_102.json | 98 +++++++ ...98d38-633d-4b3e-9387-42112cd5ac10_103.json | 97 +++++++ .../e6e3ecff-03dd-48ec-acbd-54a04de10c68.json | 76 ------ ...3ecff-03dd-48ec-acbd-54a04de10c68_102.json | 79 ++++++ ...3ecff-03dd-48ec-acbd-54a04de10c68_103.json | 76 ++++++ .../e6e8912f-283f-4d0d-8442-e0dcaf49944b.json | 102 ------- ...8912f-283f-4d0d-8442-e0dcaf49944b_102.json | 103 ++++++++ ...8912f-283f-4d0d-8442-e0dcaf49944b_103.json | 102 +++++++ .../e7075e8d-a966-458e-a183-85cd331af255.json | 92 ------- ...75e8d-a966-458e-a183-85cd331af255_102.json | 96 +++++++ ...75e8d-a966-458e-a183-85cd331af255_103.json | 92 +++++++ .../e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json | 109 -------- ...25cea-9fe1-42a5-9a05-b0792cf86f5a_103.json | 110 ++++++++ ...25cea-9fe1-42a5-9a05-b0792cf86f5a_104.json | 109 ++++++++ .../e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json | 92 ------- ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json | 93 +++++++ ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json | 93 +++++++ ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json | 92 +++++++ .../e7cd5982-17c8-4959-874c-633acde7d426.json | 88 ------- ...d5982-17c8-4959-874c-633acde7d426_102.json | 91 +++++++ ...d5982-17c8-4959-874c-633acde7d426_103.json | 88 +++++++ .../e8571d5f-bea1-46c2-9f56-998de2d3ed95.json | 112 -------- ...71d5f-bea1-46c2-9f56-998de2d3ed95_103.json | 106 ++++++++ ...71d5f-bea1-46c2-9f56-998de2d3ed95_104.json | 113 ++++++++ ...71d5f-bea1-46c2-9f56-998de2d3ed95_105.json | 112 ++++++++ .../e86da94d-e54b-4fb5-b96c-cecff87e8787.json | 87 ------ ...da94d-e54b-4fb5-b96c-cecff87e8787_102.json | 88 +++++++ ...da94d-e54b-4fb5-b96c-cecff87e8787_103.json | 87 ++++++ .../e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json | 96 ------- ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json | 97 +++++++ ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json | 96 +++++++ .../e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json | 98 ------- ...9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json | 98 +++++++ .../e90ee3af-45fc-432e-a850-4a58cf14a457.json | 113 -------- ...ee3af-45fc-432e-a850-4a58cf14a457_102.json | 115 ++++++++ ...ee3af-45fc-432e-a850-4a58cf14a457_103.json | 113 ++++++++ .../e919611d-6b6f-493b-8314-7ed6ac2e413b.json | 104 -------- ...9611d-6b6f-493b-8314-7ed6ac2e413b_102.json | 105 ++++++++ ...9611d-6b6f-493b-8314-7ed6ac2e413b_103.json | 104 ++++++++ .../e94262f2-c1e9-4d3f-a907-aeab16712e1a.json | 86 ------ ...262f2-c1e9-4d3f-a907-aeab16712e1a_104.json | 87 ++++++ ...262f2-c1e9-4d3f-a907-aeab16712e1a_105.json | 87 ++++++ ...262f2-c1e9-4d3f-a907-aeab16712e1a_106.json | 86 ++++++ .../e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json | 106 -------- ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json | 107 ++++++++ ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json | 106 ++++++++ .../e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json | 63 ----- ...f9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json | 65 +++++ ...f9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102.json | 63 +++++ .../ea248a02-bc47-4043-8e94-2885b19b2636.json | 93 ------- ...48a02-bc47-4043-8e94-2885b19b2636_105.json | 95 +++++++ ...48a02-bc47-4043-8e94-2885b19b2636_106.json | 93 +++++++ .../eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json | 32 --- ...77d63-9679-4ce3-be25-3ba8b795e5fa_101.json | 34 +++ ...77d63-9679-4ce3-be25-3ba8b795e5fa_102.json | 32 +++ .../eb079c62-4481-4d6e-9643-3ca499df7aaa.json | 82 ------ ...79c62-4481-4d6e-9643-3ca499df7aaa_101.json | 84 ++++++ ...79c62-4481-4d6e-9643-3ca499df7aaa_102.json | 82 ++++++ .../eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json | 118 --------- ...10e70-f9e6-4949-82b9-f1c5bcd37c39_105.json | 119 +++++++++ ...10e70-f9e6-4949-82b9-f1c5bcd37c39_106.json | 118 +++++++++ .../eb6a3790-d52d-11ec-8ce9-f661ea17fbce.json | 115 -------- ...a3790-d52d-11ec-8ce9-f661ea17fbce_102.json | 116 ++++++++ ...a3790-d52d-11ec-8ce9-f661ea17fbce_103.json | 115 ++++++++ ...a3790-d52d-11ec-8ce9-f661ea17fbce_104.json | 115 ++++++++ .../eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json | 90 ------- ...eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json | 91 +++++++ ...eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json | 90 +++++++ .../ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json | 84 ------ ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json | 85 ++++++ ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json | 84 ++++++ .../ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json | 104 -------- ...1adea-ccf2-4943-8b96-7ab11ca173a5_104.json | 105 ++++++++ ...1adea-ccf2-4943-8b96-7ab11ca173a5_105.json | 104 ++++++++ .../ebfe1448-7fac-4d59-acea-181bd89b1f7f.json | 92 ------- ...e1448-7fac-4d59-acea-181bd89b1f7f_104.json | 93 +++++++ ...e1448-7fac-4d59-acea-181bd89b1f7f_105.json | 92 +++++++ .../ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json | 116 -------- ...efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json | 118 +++++++++ ...efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json | 116 ++++++++ .../ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json | 90 ------- ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json | 92 +++++++ ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json | 90 +++++++ .../ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json | 88 ------- ...ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json | 90 +++++++ ...ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json | 88 +++++++ .../eda499b8-a073-4e35-9733-22ec71f57f3a.json | 128 --------- ...499b8-a073-4e35-9733-22ec71f57f3a_104.json | 129 +++++++++ ...499b8-a073-4e35-9733-22ec71f57f3a_105.json | 128 +++++++++ .../edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json | 75 ------ ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json | 79 ++++++ ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json | 75 ++++++ .../edf8ee23-5ea7-4123-ba19-56b41e424ae3.json | 95 ------- ...8ee23-5ea7-4123-ba19-56b41e424ae3_104.json | 96 +++++++ ...8ee23-5ea7-4123-ba19-56b41e424ae3_105.json | 95 +++++++ .../edfd5ca9-9d6c-44d9-b615-1e56b920219c.json | 82 ------ ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json | 82 ++++++ .../ee5300a7-7e31-4a72-a258-250abb8b3aa1.json | 105 -------- ...300a7-7e31-4a72-a258-250abb8b3aa1_102.json | 105 ++++++++ ...300a7-7e31-4a72-a258-250abb8b3aa1_103.json | 105 ++++++++ .../eea82229-b002-470e-a9e1-00be38b14d32.json | 95 ------- ...82229-b002-470e-a9e1-00be38b14d32_102.json | 96 +++++++ ...82229-b002-470e-a9e1-00be38b14d32_103.json | 95 +++++++ .../ef04a476-07ec-48fc-8f3d-5e1742de76d3.json | 94 ------- ...4a476-07ec-48fc-8f3d-5e1742de76d3_103.json | 95 +++++++ ...4a476-07ec-48fc-8f3d-5e1742de76d3_104.json | 94 +++++++ .../ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json | 101 ------- ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json | 101 +++++++ ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json | 101 +++++++ .../ef862985-3f13-4262-a686-5f357bbb9bc2.json | 114 -------- ...62985-3f13-4262-a686-5f357bbb9bc2_105.json | 115 ++++++++ ...62985-3f13-4262-a686-5f357bbb9bc2_106.json | 114 ++++++++ .../f036953a-4615-4707-a1ca-dc53bf69dcd5.json | 108 -------- ...6953a-4615-4707-a1ca-dc53bf69dcd5_103.json | 109 ++++++++ ...6953a-4615-4707-a1ca-dc53bf69dcd5_104.json | 108 ++++++++ .../f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json | 140 ---------- ...93cb4-9b15-43a9-9359-68c23a7f2cf3_102.json | 141 ++++++++++ ...93cb4-9b15-43a9-9359-68c23a7f2cf3_103.json | 140 ++++++++++ .../f06414a6-f2a4-466d-8eba-10f85e8abf71.json | 75 ------ ...414a6-f2a4-466d-8eba-10f85e8abf71_102.json | 77 ++++++ ...414a6-f2a4-466d-8eba-10f85e8abf71_103.json | 75 ++++++ .../f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json | 99 ------- ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json | 100 +++++++ ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json | 99 +++++++ .../f0bc081a-2346-4744-a6a4-81514817e888.json | 81 ------ ...c081a-2346-4744-a6a4-81514817e888_101.json | 83 ++++++ ...c081a-2346-4744-a6a4-81514817e888_102.json | 81 ++++++ .../f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json | 113 -------- ...b70e9-71e9-40cd-813f-bf8e8c812cb1_102.json | 114 ++++++++ ...b70e9-71e9-40cd-813f-bf8e8c812cb1_103.json | 113 ++++++++ .../f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json | 118 --------- ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json | 118 +++++++++ ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json | 118 +++++++++ .../f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json | 75 ------ ...1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json | 76 ++++++ ...1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json | 75 ++++++ .../f24bcae1-8980-4b30-b5dd-f851b055c9e7.json | 116 -------- ...bcae1-8980-4b30-b5dd-f851b055c9e7_103.json | 117 +++++++++ ...bcae1-8980-4b30-b5dd-f851b055c9e7_104.json | 116 ++++++++ .../f28e2be4-6eca-4349-bdd9-381573730c22.json | 113 -------- ...e2be4-6eca-4349-bdd9-381573730c22_103.json | 114 ++++++++ ...e2be4-6eca-4349-bdd9-381573730c22_104.json | 113 ++++++++ .../f2c7b914-eda3-40c2-96ac-d23ef91776ca.json | 87 ------ ...7b914-eda3-40c2-96ac-d23ef91776ca_103.json | 88 +++++++ ...7b914-eda3-40c2-96ac-d23ef91776ca_104.json | 87 ++++++ .../f2f46686-6f3c-4724-bd7d-24e31c70f98f.json | 99 ------- ...46686-6f3c-4724-bd7d-24e31c70f98f_103.json | 100 +++++++ ...46686-6f3c-4724-bd7d-24e31c70f98f_104.json | 100 +++++++ ...46686-6f3c-4724-bd7d-24e31c70f98f_105.json | 99 +++++++ .../f30f3443-4fbb-4c27-ab89-c3ad49d62315.json | 82 ------ ...f3443-4fbb-4c27-ab89-c3ad49d62315_102.json | 85 ++++++ ...f3443-4fbb-4c27-ab89-c3ad49d62315_103.json | 82 ++++++ .../f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json | 108 -------- ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json | 101 +++++++ ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json | 114 ++++++++ ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json | 108 ++++++++ .../f3475224-b179-4f78-8877-c2bd64c26b88.json | 119 --------- ...75224-b179-4f78-8877-c2bd64c26b88_103.json | 120 +++++++++ ...75224-b179-4f78-8877-c2bd64c26b88_104.json | 120 +++++++++ ...75224-b179-4f78-8877-c2bd64c26b88_105.json | 119 +++++++++ ...75224-b179-4f78-8877-c2bd64c26b88_106.json | 119 +++++++++ .../f37f3054-d40b-49ac-aa9b-a786c74c58b8.json | 92 ------- ...f3054-d40b-49ac-aa9b-a786c74c58b8_101.json | 92 +++++++ ...f3054-d40b-49ac-aa9b-a786c74c58b8_102.json | 92 +++++++ .../f3e22c8b-ea47-45d1-b502-b57b6de950b3.json | 139 ---------- ...3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json | 139 ++++++++++ .../f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json | 88 ------- ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json | 89 +++++++ ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json | 88 +++++++ .../f494c678-3c33-43aa-b169-bb3d5198c41d.json | 91 ------- ...4c678-3c33-43aa-b169-bb3d5198c41d_105.json | 96 +++++++ ...4c678-3c33-43aa-b169-bb3d5198c41d_106.json | 91 +++++++ ...4c678-3c33-43aa-b169-bb3d5198c41d_107.json | 91 +++++++ .../f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json | 73 ------ ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json | 73 ++++++ .../f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json | 93 ------- ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json | 94 +++++++ ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json | 93 +++++++ .../f5fb4598-4f10-11ed-bdc3-0242ac120002.json | 89 ------- ...5fb4598-4f10-11ed-bdc3-0242ac120002_2.json | 90 +++++++ ...5fb4598-4f10-11ed-bdc3-0242ac120002_3.json | 89 +++++++ .../f63c8e3c-d396-404f-b2ea-0379d3942d73.json | 107 -------- ...c8e3c-d396-404f-b2ea-0379d3942d73_104.json | 108 ++++++++ ...c8e3c-d396-404f-b2ea-0379d3942d73_105.json | 107 ++++++++ .../f675872f-6d85-40a3-b502-c0d2ef101e92.json | 97 ------- ...5872f-6d85-40a3-b502-c0d2ef101e92_104.json | 98 +++++++ ...5872f-6d85-40a3-b502-c0d2ef101e92_105.json | 98 +++++++ ...5872f-6d85-40a3-b502-c0d2ef101e92_106.json | 97 +++++++ .../f683dcdf-a018-4801-b066-193d4ae6c8e5.json | 94 ------- ...3dcdf-a018-4801-b066-193d4ae6c8e5_102.json | 95 +++++++ ...3dcdf-a018-4801-b066-193d4ae6c8e5_103.json | 94 +++++++ .../f766ffaf-9568-4909-b734-75d19b35cbf4.json | 81 ------ ...6ffaf-9568-4909-b734-75d19b35cbf4_101.json | 83 ++++++ ...6ffaf-9568-4909-b734-75d19b35cbf4_102.json | 81 ++++++ .../f772ec8a-e182-483c-91d2-72058f76a44c.json | 95 ------- ...2ec8a-e182-483c-91d2-72058f76a44c_105.json | 98 +++++++ ...2ec8a-e182-483c-91d2-72058f76a44c_106.json | 95 +++++++ .../f7c4dc5a-a58d-491d-9f14-9b66507121c0.json | 98 ------- ...4dc5a-a58d-491d-9f14-9b66507121c0_104.json | 99 +++++++ ...4dc5a-a58d-491d-9f14-9b66507121c0_105.json | 99 +++++++ ...4dc5a-a58d-491d-9f14-9b66507121c0_106.json | 98 +++++++ .../f81ee52c-297e-46d9-9205-07e66931df26.json | 100 ------- ...ee52c-297e-46d9-9205-07e66931df26_102.json | 101 +++++++ ...ee52c-297e-46d9-9205-07e66931df26_103.json | 100 +++++++ .../f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json | 93 ------- ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json | 96 +++++++ ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json | 93 +++++++ .../f874315d-5188-4b4a-8521-d1c73093a7e4.json | 97 ------- ...4315d-5188-4b4a-8521-d1c73093a7e4_104.json | 98 +++++++ ...4315d-5188-4b4a-8521-d1c73093a7e4_105.json | 97 +++++++ .../f9590f47-6bd5-4a49-bd49-a2f886476fb9.json | 51 ---- ...90f47-6bd5-4a49-bd49-a2f886476fb9_101.json | 52 ++++ ...90f47-6bd5-4a49-bd49-a2f886476fb9_102.json | 52 ++++ ...90f47-6bd5-4a49-bd49-a2f886476fb9_103.json | 51 ++++ .../f95972d3-c23b-463b-89a8-796b3f369b49.json | 114 -------- ...95972d3-c23b-463b-89a8-796b3f369b49_2.json | 115 ++++++++ ...95972d3-c23b-463b-89a8-796b3f369b49_3.json | 114 ++++++++ .../f9790abf-bd0c-45f9-8b5f-d0b74015e029.json | 108 -------- ...9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json | 114 ++++++++ ...9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json | 114 ++++++++ ...9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json | 109 ++++++++ ...9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json | 108 ++++++++ .../f994964f-6fce-4d75-8e79-e16ccc412588.json | 119 --------- ...4964f-6fce-4d75-8e79-e16ccc412588_102.json | 122 +++++++++ ...4964f-6fce-4d75-8e79-e16ccc412588_103.json | 119 +++++++++ .../fa01341d-6662-426b-9d0c-6d81e33c8a9d.json | 92 ------- ...1341d-6662-426b-9d0c-6d81e33c8a9d_103.json | 93 +++++++ ...1341d-6662-426b-9d0c-6d81e33c8a9d_104.json | 92 +++++++ .../fa210b61-b627-4e5e-86f4-17e8270656ab.json | 97 ------- ...a210b61-b627-4e5e-86f4-17e8270656ab_1.json | 98 +++++++ ...a210b61-b627-4e5e-86f4-17e8270656ab_2.json | 97 +++++++ ...a210b61-b627-4e5e-86f4-17e8270656ab_3.json | 97 +++++++ .../fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json | 119 --------- ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json | 119 +++++++++ .../fa488440-04cc-41d7-9279-539387bf2a17.json | 107 -------- ...a488440-04cc-41d7-9279-539387bf2a17_2.json | 108 ++++++++ ...a488440-04cc-41d7-9279-539387bf2a17_3.json | 108 ++++++++ ...a488440-04cc-41d7-9279-539387bf2a17_4.json | 107 ++++++++ ...a488440-04cc-41d7-9279-539387bf2a17_5.json | 107 ++++++++ .../fb02b8d3-71ee-4af1-bacd-215d23f17efa.json | 134 ---------- ...2b8d3-71ee-4af1-bacd-215d23f17efa_102.json | 133 ++++++++++ ...2b8d3-71ee-4af1-bacd-215d23f17efa_103.json | 135 ++++++++++ ...2b8d3-71ee-4af1-bacd-215d23f17efa_104.json | 134 ++++++++++ .../fbd44836-0d69-4004-a0b4-03c20370c435.json | 94 ------- ...44836-0d69-4004-a0b4-03c20370c435_102.json | 97 +++++++ ...44836-0d69-4004-a0b4-03c20370c435_103.json | 94 +++++++ .../fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json | 100 ------- ...c0fa4-8f03-4b3e-8336-c5feab0be022_103.json | 101 +++++++ ...c0fa4-8f03-4b3e-8336-c5feab0be022_104.json | 100 +++++++ .../fd4a992d-6130-4802-9ff8-829b89ae801f.json | 114 -------- ...a992d-6130-4802-9ff8-829b89ae801f_104.json | 115 ++++++++ ...a992d-6130-4802-9ff8-829b89ae801f_105.json | 114 ++++++++ .../fd70c98a-c410-42dc-a2e3-761c71848acf.json | 99 ------- ...0c98a-c410-42dc-a2e3-761c71848acf_103.json | 100 +++++++ ...0c98a-c410-42dc-a2e3-761c71848acf_104.json | 100 +++++++ ...0c98a-c410-42dc-a2e3-761c71848acf_105.json | 99 +++++++ .../fd7a6052-58fa-4397-93c3-4795249ccfa2.json | 101 ------- ...a6052-58fa-4397-93c3-4795249ccfa2_104.json | 102 +++++++ ...a6052-58fa-4397-93c3-4795249ccfa2_105.json | 102 +++++++ ...a6052-58fa-4397-93c3-4795249ccfa2_106.json | 101 +++++++ .../fe794edd-487f-4a90-b285-3ee54f2af2d3.json | 97 ------- ...94edd-487f-4a90-b285-3ee54f2af2d3_104.json | 98 +++++++ ...94edd-487f-4a90-b285-3ee54f2af2d3_105.json | 97 +++++++ .../feeed87c-5e95-4339-aef1-47fd79bcfbe3.json | 108 -------- ...ed87c-5e95-4339-aef1-47fd79bcfbe3_104.json | 109 ++++++++ ...ed87c-5e95-4339-aef1-47fd79bcfbe3_105.json | 108 ++++++++ .../ff013cb4-274d-434a-96bb-fe15ddd3ae92.json | 89 ------- ...13cb4-274d-434a-96bb-fe15ddd3ae92_101.json | 98 +++++++ ...13cb4-274d-434a-96bb-fe15ddd3ae92_102.json | 89 +++++++ .../ff10d4d8-fea7-422d-afb1-e5a2702369a9.json | 143 ---------- ...f10d4d8-fea7-422d-afb1-e5a2702369a9_1.json | 144 ++++++++++ ...f10d4d8-fea7-422d-afb1-e5a2702369a9_2.json | 143 ++++++++++ ...f4599cb-409f-4910-a239-52e4e6f532ff_1.json | 81 ++++++ ...f4599cb-409f-4910-a239-52e4e6f532ff_2.json | 80 ++++++ .../ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json | 90 ------- ...dd44a-0ac6-44c4-8609-3f81bc820f02_101.json | 92 +++++++ ...dd44a-0ac6-44c4-8609-3f81bc820f02_102.json | 90 +++++++ .../ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json | 76 ------ ...b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json | 78 ++++++ ...b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json | 76 ++++++ .../security_detection_engine/manifest.yml | 6 +- 2608 files changed, 171474 insertions(+), 76735 deletions(-) delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json create mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json create mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json create mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json create mode 100644 packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json create mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json create mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json create mode 100644 packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json create mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json create mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json create mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json create mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json create mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624.json create mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json create mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json create mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json create mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json create mode 100644 packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json create mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json create mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json create mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json create mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json create mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json create mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json create mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json create mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json create mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json create mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json create mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json create mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json create mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json create mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json create mode 100644 packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json create mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json create mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json create mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json create mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json create mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json create mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json create mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json create mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json create mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json create mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json create mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json create mode 100644 packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json create mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json create mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json create mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json create mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json create mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json create mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json create mode 100644 packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json create mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json create mode 100644 packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json create mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json create mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json create mode 100644 packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json create mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json create mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json create mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json create mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json create mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json create mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json create mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json create mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json create mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json create mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json create mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json create mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json create mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json create mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index d9820a65d35e..65890ba561f2 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.7.9-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/6940 - version: 8.6.9 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json deleted file mode 100644 index 0f93faedef83..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Policy Rule", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.rule.update\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json new file mode 100644 index 000000000000..2298729561c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json new file mode 100644 index 000000000000..6ac478874af0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json deleted file mode 100644 index 026fdf7b8ac7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*", - "logs-system.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via Windows Utilities", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", - "references": [ - "https://lolbas-project.github.io/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - }, - { - "id": "T1003.003", - "name": "NTDS", - "reference": "https://attack.mitre.org/techniques/T1003/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "00140285-b827-4aee-aa09-8113f58a08f3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json new file mode 100644 index 000000000000..ab80214cd6ee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n /* update here with any new lolbas with dump capability */\n (process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n (process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n (process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n (process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n (process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n (process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n (process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n (process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n)\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json new file mode 100644 index 000000000000..887b4c8e37f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json new file mode 100644 index 000000000000..1e1a787224c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json deleted file mode 100644 index 39436e00830c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json new file mode 100644 index 000000000000..197b450cab63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Shells via Services", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json new file mode 100644 index 000000000000..03dc5a4ca6dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Shells via Services", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json new file mode 100644 index 000000000000..38cc2f533f53 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Shells via Services", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json deleted file mode 100644 index 11290d5fd9bc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", - "false_positives": [ - "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Suspended User Account Renewed", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", - "references": [ - "https://support.google.com/a/answer/1110339" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 2 - }, - "id": "00678712-b2df-11ed-afe9-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json new file mode 100644 index 000000000000..ba62bbc672a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", + "false_positives": [ + "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Suspended User Account Renewed", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", + "references": [ + "https://support.google.com/a/answer/1110339" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json new file mode 100644 index 000000000000..b4783715a71b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", + "false_positives": [ + "Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Suspended User Account Renewed", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", + "references": [ + "https://support.google.com/a/answer/1110339" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json deleted file mode 100644 index 57d9e910264e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", - "false_positives": [ - "A user sending emails using personal distribution folders may trigger the event." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 User Restricted from Sending Email", - "note": "", - "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "0136b315-b566-482f-866c-1d8e2477ba16", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json new file mode 100644 index 000000000000..adc4756c3662 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json new file mode 100644 index 000000000000..c1776a8a920f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json deleted file mode 100644 index b7cb5797c64d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", - "false_positives": [ - "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Redshift Cluster Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "015cca13-8832-49ac-a01b-a396114809f6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json new file mode 100644 index 000000000000..a5d47000c5c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Redshift Cluster Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "015cca13-8832-49ac-a01b-a396114809f6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json new file mode 100644 index 000000000000..073ebb0ec560 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Redshift Cluster Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "015cca13-8832-49ac-a01b-a396114809f6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json deleted file mode 100644 index 40c7653f59cd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network-*", - "logs-network_traffic.*", - "packetbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Network Scan Detected", - "query": "destination.port :* and event.action: (\"network_flow\" or \"connection_accepted\" or \"connection_attempted\" )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", - "severity": "medium", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.port", - "value": 20 - } - ], - "field": [ - "destination.ip", - "source.ip" - ], - "value": 1 - }, - "type": "threshold", - "version": 1 - }, - "id": "0171f283-ade7-4f87-9521-ac346c68cc9b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json new file mode 100644 index 000000000000..3133587aaf41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-network_traffic.*", + "packetbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Network Scan Detected", + "query": "destination.port :* and event.action: (\"network_flow\" or \"connection_accepted\" or \"connection_attempted\" )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", + "severity": "medium", + "tags": [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "destination.port", + "value": 20 + } + ], + "field": [ + "destination.ip", + "source.ip" + ], + "value": 1 + }, + "type": "threshold", + "version": 1 + }, + "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json deleted file mode 100644 index 8b24fb7dbe8a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", - "false_positives": [ - "Developers performing browsers plugin or extension debugging." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Potential Cookies Theft via Browser Debugging", - "note": "", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", - "references": [ - "https://github.com/defaultnamehere/cookie_crimes", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", - "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 102 - }, - "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json new file mode 100644 index 000000000000..fc4709615858 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", + "false_positives": [ + "Developers performing browsers plugin or extension debugging." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Potential Cookies Theft via Browser Debugging", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "references": [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json new file mode 100644 index 000000000000..8d75e8d6eb8f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", + "false_positives": [ + "Developers performing browsers plugin or extension debugging." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Potential Cookies Theft via Browser Debugging", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "references": [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json deleted file mode 100644 index 20f7a562299e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Created with an Elevated Token", - "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", - "references": [ - "https://lengjibo.github.io/token/", - "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.effective_parent.executable", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.002", - "name": "Create Process with Token", - "reference": "https://attack.mitre.org/techniques/T1134/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json new file mode 100644 index 000000000000..3a7b7a75c56f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with an Elevated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", + "references": [ + "https://lengjibo.github.io/token/", + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json new file mode 100644 index 000000000000..1a57d68d5614 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with an Elevated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", + "references": [ + "https://lengjibo.github.io/token/", + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json deleted file mode 100644 index f914a2645283..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via DuplicateHandle in LSASS", - "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", - "references": [ - "https://github.com/CCob/MirrorDump" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.GrantedAccess", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "02a4576a-7480-4284-9327-548a806b5e48", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json new file mode 100644 index 000000000000..1167bfae3861 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DuplicateHandle in LSASS", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", + "references": [ + "https://github.com/CCob/MirrorDump" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "02a4576a-7480-4284-9327-548a806b5e48_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json new file mode 100644 index 000000000000..c5165db7748c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DuplicateHandle in LSASS", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", + "references": [ + "https://github.com/CCob/MirrorDump" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "02a4576a-7480-4284-9327-548a806b5e48_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_106.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_106.json new file mode 100644 index 000000000000..390f2137cb45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DuplicateHandle in LSASS", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", + "references": [ + "https://github.com/CCob/MirrorDump" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "02a4576a-7480-4284-9327-548a806b5e48_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json deleted file mode 100644 index b69eb73bf392..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Dumping Account Hashes via Built-In Commands", - "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", - "references": [ - "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", - "https://www.unix.com/man-page/osx/8/mkpassdb/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json new file mode 100644 index 000000000000..5e0a439390b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Dumping Account Hashes via Built-In Commands", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", + "references": [ + "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", + "https://www.unix.com/man-page/osx/8/mkpassdb/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json new file mode 100644 index 000000000000..cda3650dcf55 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Dumping Account Hashes via Built-In Commands", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", + "references": [ + "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", + "https://www.unix.com/man-page/osx/8/mkpassdb/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json deleted file mode 100644 index b0e8ac276120..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", - "false_positives": [ - "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json new file mode 100644 index 000000000000..e43646dba837 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json new file mode 100644 index 000000000000..18b47600d769 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json deleted file mode 100644 index 9c2a5a163aef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Process and/or Service Terminations", - "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", - "references": [ - "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id" - ], - "value": 10 - }, - "type": "threshold", - "version": 105 - }, - "id": "035889c4-2686-4583-a7df-67f89c292f2c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json new file mode 100644 index 000000000000..9c05bc941e40 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process and/or Service Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", + "references": [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 104 + }, + "id": "035889c4-2686-4583-a7df-67f89c292f2c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json new file mode 100644 index 000000000000..8a50c1ab0bdd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process and/or Service Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", + "references": [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 105 + }, + "id": "035889c4-2686-4583-a7df-67f89c292f2c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json deleted file mode 100644 index 4517715edf43..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", - "false_positives": [ - "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of OpenSSH Binaries", - "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", - "references": [ - "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - }, - { - "id": "T1563", - "name": "Remote Service Session Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/", - "subtechnique": [ - { - "id": "T1563.001", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "0415f22a-2336-45fa-ba07-618a5942e22c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json new file mode 100644 index 000000000000..2c7673123747 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", + "false_positives": [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of OpenSSH Binaries", + "query": "event.category:file and host.os.type:linux and event.type:change and\n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.name:(\"dpkg\" or \"yum\" or \"dnf\" or \"dnf-automatic\")\n", + "references": [ + "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + }, + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0415f22a-2336-45fa-ba07-618a5942e22c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json new file mode 100644 index 000000000000..12e39841bb4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", + "false_positives": [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of OpenSSH Binaries", + "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", + "references": [ + "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "0415f22a-2336-45fa-ba07-618a5942e22c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2.json b/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2.json deleted file mode 100644 index 36a89c44bb46..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", - "false_positives": [ - "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential DNS Tunneling via Iodine", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", - "references": [ - "https://code.kryo.se/iodine/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1572", - "name": "Protocol Tunneling", - "reference": "https://attack.mitre.org/techniques/T1572/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_103.json b/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_103.json new file mode 100644 index 000000000000..fb40b806abb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", + "false_positives": [ + "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via Iodine", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", + "references": [ + "https://code.kryo.se/iodine/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "041d4d41-9589-43e2-ba13-5680af75ebc2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_104.json b/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_104.json new file mode 100644 index 000000000000..6910c2569f52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/041d4d41-9589-43e2-ba13-5680af75ebc2_104.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", + "false_positives": [ + "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via Iodine", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)\n", + "references": [ + "https://code.kryo.se/iodine/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "041d4d41-9589-43e2-ba13-5680af75ebc2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json deleted file mode 100644 index 43c5e72d57f0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure AD Global Administrator Role Assigned", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.category", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json new file mode 100644 index 000000000000..dc787f598562 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure AD Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json new file mode 100644 index 000000000000..0c9f4a875781 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure AD Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json deleted file mode 100644 index edba949470d9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Dennis Perto" - ], - "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", - "false_positives": [ - "Microsoft Antimalware Service Executable installed on non default installation path." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", - "references": [ - "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.002", - "name": "DLL Side-Loading", - "reference": "https://attack.mitre.org/techniques/T1574/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json new file mode 100644 index 000000000000..c545810fb409 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Dennis Perto" + ], + "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", + "false_positives": [ + "Microsoft Antimalware Service Executable installed on non default installation path." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", + "references": [ + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json new file mode 100644 index 000000000000..9d0f1ee817b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Dennis Perto" + ], + "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", + "false_positives": [ + "Microsoft Antimalware Service Executable installed on non default installation path." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", + "references": [ + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json deleted file mode 100644 index e3140170d2c0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Microsoft IIS Service Account Password Dumped", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", - "references": [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json new file mode 100644 index 000000000000..77be5f18e17e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Service Account Password Dumped", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "0564fb9d-90b9-4234-a411-82a546dc1343_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json new file mode 100644 index 000000000000..beb878065dfd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Service Account Password Dumped", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "0564fb9d-90b9-4234-a411-82a546dc1343_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json deleted file mode 100644 index 8617cabd7b62..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Conhost Spawned By Suspicious Parent Process", - "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json new file mode 100644 index 000000000000..2b95e4877db9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Conhost Spawned By Suspicious Parent Process", + "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json new file mode 100644 index 000000000000..f08eb646c3bb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Conhost Spawned By Suspicious Parent Process", + "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json deleted file mode 100644 index 92ce0cc1f61e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Interactive Terminal Spawned via Perl", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json new file mode 100644 index 000000000000..d6aadc554886 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Perl", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json new file mode 100644 index 000000000000..4a1d1da03bcf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Perl", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json deleted file mode 100644 index 1968868d7d8c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote System Discovery Commands", - "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/" - }, - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "0635c542-1b96-4335-9b47-126582d2c19a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json new file mode 100644 index 000000000000..e3fa48632540 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote System Discovery Commands", + "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "0635c542-1b96-4335-9b47-126582d2c19a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json new file mode 100644 index 000000000000..3422c8ed55d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote System Discovery Commands", + "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "0635c542-1b96-4335-9b47-126582d2c19a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json new file mode 100644 index 000000000000..20b9b7b00932 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote System Discovery Commands", + "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "0635c542-1b96-4335-9b47-126582d2c19a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json deleted file mode 100644 index b2b0ee98c182..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Time Discovery", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1124", - "name": "System Time Discovery", - "reference": "https://attack.mitre.org/techniques/T1124/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "06568a02-af29-4f20-929c-f3af281e41aa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json new file mode 100644 index 000000000000..ffad3f3de8f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Time Discovery", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1124", + "name": "System Time Discovery", + "reference": "https://attack.mitre.org/techniques/T1124/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "06568a02-af29-4f20-929c-f3af281e41aa_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json new file mode 100644 index 000000000000..8c01a723806e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Time Discovery", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1124", + "name": "System Time Discovery", + "reference": "https://attack.mitre.org/techniques/T1124/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "06568a02-af29-4f20-929c-f3af281e41aa_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json deleted file mode 100644 index 8a6e4a7b03b5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", - "false_positives": [ - "Domain administrators may use this command-line utility for legitimate information gathering purposes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumerating Domain Trusts via DSQUERY.EXE", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", - "references": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", - "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1482", - "name": "Domain Trust Discovery", - "reference": "https://attack.mitre.org/techniques/T1482/" - }, - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "06a7a03c-c735-47a6-a313-51c354aef6c3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json new file mode 100644 index 000000000000..152dea4df11b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via DSQUERY.EXE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", + "references": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", + "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json new file mode 100644 index 000000000000..87ae857fe608 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via DSQUERY.EXE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", + "references": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", + "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json deleted file mode 100644 index 0ab61a644bc7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Evasion via Filter Manager", - "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json new file mode 100644 index 000000000000..2061ea99e3de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json new file mode 100644 index 000000000000..af0d378bc728 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json new file mode 100644 index 000000000000..3dca64ec2c68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json deleted file mode 100644 index c31cdd60a659..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.004", - "name": "Disable or Modify System Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json new file mode 100644 index 000000000000..31d7a482d001 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "074464f9-f30d-4029-8c03-0ed237fffec7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json new file mode 100644 index 000000000000..d88d0a0bd8aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "074464f9-f30d-4029-8c03-0ed237fffec7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json deleted file mode 100644 index 029b467c7d42..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Proc Pseudo File System Enumeration", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1\n", - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "medium", - "tags": [ - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - }, - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "file.path", - "value": 25 - } - ], - "field": [ - "host.id", - "process.pid", - "process.name" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 1 - }, - "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json new file mode 100644 index 000000000000..615f3d6625ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Proc Pseudo File System Enumeration", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "medium", + "tags": [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "file.path", + "value": 25 + } + ], + "field": [ + "host.id", + "process.pid", + "process.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 1 + }, + "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json deleted file mode 100644 index 87a702a4d3e0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Local Account TokenFilter Policy Disabled", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", - "references": [ - "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", - "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json new file mode 100644 index 000000000000..5577129567d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json new file mode 100644 index 000000000000..0100ce78789d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json deleted file mode 100644 index 54bb41be8dab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", - "false_positives": [ - "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Drive Ownership Transferred via Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", - "references": [ - "https://support.google.com/a/answer/1247799?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1074", - "name": "Data Staged", - "reference": "https://attack.mitre.org/techniques/T1074/", - "subtechnique": [ - { - "id": "T1074.002", - "name": "Remote Data Staging", - "reference": "https://attack.mitre.org/techniques/T1074/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json new file mode 100644 index 000000000000..80a0f837191b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", + "false_positives": [ + "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Drive Ownership Transferred via Google Workspace", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", + "references": [ + "https://support.google.com/a/answer/1247799?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.002", + "name": "Remote Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json new file mode 100644 index 000000000000..ccc884dc385c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", + "false_positives": [ + "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Drive Ownership Transferred via Google Workspace", + "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", + "references": [ + "https://support.google.com/a/answer/1247799?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Collection", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.002", + "name": "Remote Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json new file mode 100644 index 000000000000..434d01055d22 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", + "false_positives": [ + "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Drive Ownership Transferred via Google Workspace", + "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", + "references": [ + "https://support.google.com/a/answer/1247799?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.002", + "name": "Remote Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json deleted file mode 100644 index f03953986c24..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Browser Child Process", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", - "references": [ - "https://objective-see.com/blog/blog_0x43.html", - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1203", - "name": "Exploitation for Client Execution", - "reference": "https://attack.mitre.org/techniques/T1203/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1189", - "name": "Drive-by Compromise", - "reference": "https://attack.mitre.org/techniques/T1189/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "080bc66a-5d56-4d1f-8071-817671716db9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json new file mode 100644 index 000000000000..c58ce02c4f25 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Browser Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", + "references": [ + "https://objective-see.com/blog/blog_0x43.html", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Initial Access", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "080bc66a-5d56-4d1f-8071-817671716db9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json new file mode 100644 index 000000000000..eff45c41b7e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Browser Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", + "references": [ + "https://objective-see.com/blog/blog_0x43.html", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "080bc66a-5d56-4d1f-8071-817671716db9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json deleted file mode 100644 index ea35602c781d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", - "false_positives": [ - "Trusted applications persisting via LaunchAgent" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Launch Agent Creation or Modification and Immediate Loading", - "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json new file mode 100644 index 000000000000..f6b6d164f260 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", + "false_positives": [ + "Trusted applications persisting via LaunchAgent" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Launch Agent Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json new file mode 100644 index 000000000000..93315c75005a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", + "false_positives": [ + "Trusted applications persisting via LaunchAgent" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Launch Agent Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json deleted file mode 100644 index 0d945336cea0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Hidden Child Process of Launchd", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", - "references": [ - "https://objective-see.com/blog/blog_0x61.html", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "083fa162-e790-4d85-9aeb-4fea04188adb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json new file mode 100644 index 000000000000..28e20721ce83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Hidden Child Process of Launchd", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", + "references": [ + "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "083fa162-e790-4d85-9aeb-4fea04188adb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json new file mode 100644 index 000000000000..18ab2b04bb2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Hidden Child Process of Launchd", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", + "references": [ + "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "083fa162-e790-4d85-9aeb-4fea04188adb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json deleted file mode 100644 index 83386253960a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Removable Device", - "new_terms_fields": [ - "registry.path" - ], - "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", - "references": [ - "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", - "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.value", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1091", - "name": "Replication Through Removable Media", - "reference": "https://attack.mitre.org/techniques/T1091/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1052", - "name": "Exfiltration Over Physical Medium", - "reference": "https://attack.mitre.org/techniques/T1052/", - "subtechnique": [ - { - "id": "T1052.001", - "name": "Exfiltration over USB", - "reference": "https://attack.mitre.org/techniques/T1052/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json new file mode 100644 index 000000000000..c18bc65ad847 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Removable Device", + "new_terms_fields": [ + "registry.path" + ], + "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", + "references": [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1091", + "name": "Replication Through Removable Media", + "reference": "https://attack.mitre.org/techniques/T1091/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1052", + "name": "Exfiltration Over Physical Medium", + "reference": "https://attack.mitre.org/techniques/T1052/", + "subtechnique": [ + { + "id": "T1052.001", + "name": "Exfiltration over USB", + "reference": "https://attack.mitre.org/techniques/T1052/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json deleted file mode 100644 index a833f5a0ecff..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of Hidden Launch Agent or Daemon", - "note": "", - "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.001", - "name": "Launch Agent", - "reference": "https://attack.mitre.org/techniques/T1543/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json new file mode 100644 index 000000000000..d97980692cbe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Launch Agent or Daemon", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "092b068f-84ac-485d-8a55-7dd9e006715f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json new file mode 100644 index 000000000000..654738d361a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Launch Agent or Daemon", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "092b068f-84ac-485d-8a55-7dd9e006715f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json deleted file mode 100644 index a268debfa29d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Termination followed by Deletion", - "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "09443c92-46b3-45a4-8f25-383b028b258d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json new file mode 100644 index 000000000000..53c7e15ab7ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Termination followed by Deletion", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "09443c92-46b3-45a4-8f25-383b028b258d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json new file mode 100644 index 000000000000..20daa1e01549 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Termination followed by Deletion", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "09443c92-46b3-45a4-8f25-383b028b258d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json deleted file mode 100644 index ab322d7717b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", - "false_positives": [ - "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "09d028a5-dcde-409f-8ae0-557cef1b7082", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json new file mode 100644 index 000000000000..03044de57a53 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", + "false_positives": [ + "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "09d028a5-dcde-409f-8ae0-557cef1b7082_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json new file mode 100644 index 000000000000..931551b428d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", + "false_positives": [ + "Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "09d028a5-dcde-409f-8ae0-557cef1b7082_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json deleted file mode 100644 index 6565246be559..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Malware - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 99, - "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", - "severity": "critical", - "tags": [ - "Data Source: Elastic Endgame" - ], - "type": "query", - "version": 101 - }, - "id": "0a97b20f-4144-49ea-be32-b540ecc445de", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json new file mode 100644 index 000000000000..10172dde04f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Malware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 100 + }, + "id": "0a97b20f-4144-49ea-be32-b540ecc445de_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json new file mode 100644 index 000000000000..2156f790f95d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Malware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Data Source: Elastic Endgame" + ], + "type": "query", + "version": 101 + }, + "id": "0a97b20f-4144-49ea-be32-b540ecc445de_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json deleted file mode 100644 index 3bf428f986ca..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", - "false_positives": [ - "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_process_creation" - ], - "name": "Anomalous Windows Process Creation", - "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "type": "machine_learning", - "version": 104 - }, - "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json new file mode 100644 index 000000000000..ae8cd0f07944 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_creation" + ], + "name": "Anomalous Windows Process Creation", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json new file mode 100644 index 000000000000..d59b151dc6af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_creation" + ], + "name": "Anomalous Windows Process Creation", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json new file mode 100644 index 000000000000..b33aa1cd584c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", + "false_positives": [ + "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_creation" + ], + "name": "Anomalous Windows Process Creation", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json deleted file mode 100644 index b245f7b2af8c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User account exposed to Kerberoasting", - "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", - "references": [ - "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", - "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", - "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", - "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", - "https://adsecurity.org/?p=280", - "https://github.com/OTRF/Set-AuditRule" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ObjectClass", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.003", - "name": "Kerberoasting", - "reference": "https://attack.mitre.org/techniques/T1558/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json new file mode 100644 index 000000000000..afe7d4765e85 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User account exposed to Kerberoasting", + "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and\n event.code:5136 and winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", + "references": [ + "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", + "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", + "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", + "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", + "https://adsecurity.org/?p=280", + "https://github.com/OTRF/Set-AuditRule" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json new file mode 100644 index 000000000000..289bd90695ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User account exposed to Kerberoasting", + "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", + "references": [ + "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", + "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", + "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", + "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", + "https://adsecurity.org/?p=280", + "https://github.com/OTRF/Set-AuditRule" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json new file mode 100644 index 000000000000..a1cb9ada44ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User account exposed to Kerberoasting", + "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", + "references": [ + "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", + "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", + "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", + "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", + "https://adsecurity.org/?p=280", + "https://github.com/OTRF/Set-AuditRule" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json deleted file mode 100644 index b842099a453c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Threat Intel IP Address Indicator Match", - "query": "source.ip:* or destination.ip:*\n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", - "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 99, - "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Rule Type: Indicator Match" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "filebeat-*", - "logs-ti_*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "source.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - }, - { - "entries": [ - { - "field": "destination.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 1 - }, - "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json new file mode 100644 index 000000000000..461ea8e2603f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel IP Address Indicator Match", + "query": "source.ip:* or destination.ip:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 99, + "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 1 + }, + "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json deleted file mode 100644 index 20f9639ab87b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Peripheral Device Discovery", - "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1120", - "name": "Peripheral Device Discovery", - "reference": "https://attack.mitre.org/techniques/T1120/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json new file mode 100644 index 000000000000..1942c08b06a3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Peripheral Device Discovery", + "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1120", + "name": "Peripheral Device Discovery", + "reference": "https://attack.mitre.org/techniques/T1120/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json new file mode 100644 index 000000000000..2158e87be664 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Peripheral Device Discovery", + "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1120", + "name": "Peripheral Device Discovery", + "reference": "https://attack.mitre.org/techniques/T1120/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json deleted file mode 100644 index 86573fc2865c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Deprecated - Threat Intel Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps\n\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n\nThis rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons and to avoid alert duplication due to the indicators expiration new feature. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\n* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64\n* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca\n* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60\n* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "file.hash.*", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.pe.imphash", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "url.full", - "type": "wildcard" - } - ], - "risk_score": 99, - "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", - "setup": "This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons and to avoid alert duplication due to the indicators expiration new feature. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\nThreat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bcaThreat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.dataset", - "negate": false, - "params": { - "query": "ti_*" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ti_*" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "logs-ti_*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "file.hash.md5", - "type": "mapping", - "value": "threat.indicator.file.hash.md5" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha1", - "type": "mapping", - "value": "threat.indicator.file.hash.sha1" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha256", - "type": "mapping", - "value": "threat.indicator.file.hash.sha256" - } - ] - }, - { - "entries": [ - { - "field": "file.pe.imphash", - "type": "mapping", - "value": "threat.indicator.file.pe.imphash" - } - ] - }, - { - "entries": [ - { - "field": "source.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - }, - { - "entries": [ - { - "field": "destination.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - }, - { - "entries": [ - { - "field": "url.full", - "type": "mapping", - "value": "threat.indicator.url.full" - } - ] - }, - { - "entries": [ - { - "field": "registry.path", - "type": "mapping", - "value": "threat.indicator.registry.path" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 204 - }, - "id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_103.json b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_103.json new file mode 100644 index 000000000000..d565b7ea4a5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_103.json @@ -0,0 +1,235 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", + "severity": "critical", + "tags": [ + "Elastic", + "Windows", + "Elastic Endgame", + "Network", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 103 + }, + "id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_104.json b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_104.json new file mode 100644 index 000000000000..1718730b81da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_104.json @@ -0,0 +1,230 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 104 + }, + "id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_204.json b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_204.json new file mode 100644 index 000000000000..383a3750c11d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_204.json @@ -0,0 +1,231 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated - Threat Intel Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps\n\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n\nThis rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons and to avoid alert duplication due to the indicators expiration new feature. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\n* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64\n* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca\n* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60\n* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", + "setup": "This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons and to avoid alert duplication due to the indicators expiration new feature. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\nThreat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bcaThreat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 204 + }, + "id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json deleted file mode 100644 index 425a0d35e9c2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", - "false_positives": [ - "Assignment of rights to a service account." - ], - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "O365 Exchange Suspicious Mailbox Right Delegation", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.AccessRights", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.002", - "name": "Additional Email Delegate Permissions", - "reference": "https://attack.mitre.org/techniques/T1098/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "0ce6487d-8069-4888-9ddd-61b52490cebc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json new file mode 100644 index 000000000000..6f173dff1107 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json new file mode 100644 index 000000000000..e858df7ae669 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json deleted file mode 100644 index c5ef57d15684..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", - "false_positives": [ - "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." - ], - "from": "now-24h", - "index": [ - ".alerts-security.*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Multiple Alerts Involving a User", - "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", - "required_fields": [ - { - "ecs": false, - "name": "signal.rule.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule" - ], - "threshold": { - "cardinality": [ - { - "field": "signal.rule.rule_id", - "value": 5 - } - ], - "field": [ - "user.name" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 3 - }, - "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json new file mode 100644 index 000000000000..387ab7ab508e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", + "false_positives": [ + "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." + ], + "from": "now-24h", + "index": [ + ".alerts-security.*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts Involving a User", + "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", + "required_fields": [ + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", + "severity": "high", + "tags": [ + "Elastic", + "Threat Detection", + "Higher-Order Rules" + ], + "threshold": { + "cardinality": [ + { + "field": "signal.rule.rule_id", + "value": 5 + } + ], + "field": [ + "user.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 2 + }, + "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_3.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_3.json new file mode 100644 index 000000000000..9a16d92aff23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", + "false_positives": [ + "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." + ], + "from": "now-24h", + "index": [ + ".alerts-security.*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts Involving a User", + "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", + "required_fields": [ + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule" + ], + "threshold": { + "cardinality": [ + { + "field": "signal.rule.rule_id", + "value": 5 + } + ], + "field": [ + "user.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 3 + }, + "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json deleted file mode 100644 index 996c9b1f410e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", - "false_positives": [ - "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Nping Process Activity", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json new file mode 100644 index 000000000000..95ce36733f2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Nping Process Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json new file mode 100644 index 000000000000..953c377edb0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Nping Process Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json deleted file mode 100644 index 6b745fe393aa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", - "from": "now-120m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of File Written or Modified by Microsoft Office", - "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json new file mode 100644 index 000000000000..232c04119d9a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by Microsoft Office", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json new file mode 100644 index 000000000000..d55fd519fca4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by Microsoft Office", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json deleted file mode 100644 index 8a580c56aba6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", - "false_positives": [ - "Benign files can trigger signatures in the built-in virus protection" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SharePoint Malware File Upload", - "note": "", - "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1080", - "name": "Taint Shared Content", - "reference": "https://attack.mitre.org/techniques/T1080/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json new file mode 100644 index 000000000000..a86baff0ba16 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json new file mode 100644 index 000000000000..6ea4bf8c6f64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json deleted file mode 100644 index ff3c3942574d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", - "false_positives": [ - "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Key Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts", - "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json new file mode 100644 index 000000000000..d106acbf52f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", + "false_positives": [ + "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Key Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json new file mode 100644 index 000000000000..16d79bb57d6e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", + "false_positives": [ + "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Key Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json deleted file mode 100644 index d65d83a0c5cf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "MsBuild Making Network Connections", - "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/", - "subtechnique": [ - { - "id": "T1127.001", - "name": "MSBuild", - "reference": "https://attack.mitre.org/techniques/T1127/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "0e79980b-4250-4a50-a509-69294c14e84b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json new file mode 100644 index 000000000000..4aa9d7eefbfd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json new file mode 100644 index 000000000000..91e10b64c39f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json new file mode 100644 index 000000000000..f1e0722f7533 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json deleted file mode 100644 index ba17b78e4574..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence Through Run Control Detected", - "new_terms_fields": [ - "host.id", - "process.executable" - ], - "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", - "references": [ - "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/", - "subtechnique": [ - { - "id": "T1037.004", - "name": "RC Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/004/" - } - ] - } - ] - } - ], - "type": "new_terms", - "version": 103 - }, - "id": "0f4d35e4-925e-4959-ab24-911be207ee6f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json new file mode 100644 index 000000000000..b2c8055a0a7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd, however through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RC Script Creation", + "note": "## Triage and analysis\n### Investigating RC script creation\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. The rc.local file has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. There might still be users that use rc.local in a benign matter, so investigation to see whether the file is malicious is vital. The first file to check can be found here:\n- /etc/rc.local\n\nThis file may contain a path to an executable, script or a command. Additionally, the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator` is used to convert rc.local into rc-local.service. The service and wants files can be found in the following directories:\n- /lib/systemd/system/rc-local.service\n- /run/systemd/generator/multi-user.target.wants/rc-local.service\n\nIn case the file is not present here, the `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. Make sure to investigate all files mentioned above, and files that these scripts may link to establish whether the alert is malicious or benign behavior.\n\n### Investigating RC script execution\nThe detection rule queries for the creation of these files, but manual analysis is required to check for rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. The following command can be used to check for the execution of this service:\n\n`sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"`\n\nIf logging is found, analyze it, and chances are that the contents of the rc.local file have been executed. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/rc.local files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by user.id, host.id with maxspan=15s\n[file where host.os.type == \"linux\" and \n event.type == \"creation\" and\n file.path == \"/etc/rc.local\"]\n[process where host.os.type == \"linux\" and \n event.type == \"start\" and\n process.name == \"chmod\" and\n process.args == \"+x\" and process.args == \"/etc/rc.local\"]\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json new file mode 100644 index 000000000000..7fc0b7da10b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through Run Control Detected", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "type": "new_terms", + "version": 103 + }, + "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json deleted file mode 100644 index d80b544bc2d8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "note": "", - "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", - "references": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetImage", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", - "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "winlog.event_data.TargetProcessId", - "value": 2 - } - ], - "field": [ - "process.entity_id" - ], - "value": 2 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 106 - }, - "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json new file mode 100644 index 000000000000..3ba8c368994f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "note": "", + "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", + "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "winlog.event_data.TargetProcessId", + "value": 2 + } + ], + "field": [ + "process.entity_id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 103 + }, + "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json new file mode 100644 index 000000000000..ae970f335f47 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "note": "", + "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", + "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "winlog.event_data.TargetProcessId", + "value": 2 + } + ], + "field": [ + "process.entity_id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_106.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_106.json new file mode 100644 index 000000000000..4186f94439e4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_106.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "note": "", + "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", + "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "winlog.event_data.TargetProcessId", + "value": 2 + } + ], + "field": [ + "process.entity_id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 106 + }, + "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json deleted file mode 100644 index 5bf6bfa102c8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Privilege Escalation via Root Crontab File Modification", - "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", - "references": [ - "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", - "https://www.exploit-db.com/exploits/42146" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json new file mode 100644 index 000000000000..429d2e882b89 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Privilege Escalation via Root Crontab File Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", + "references": [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json new file mode 100644 index 000000000000..c6c8ea42358e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Privilege Escalation via Root Crontab File Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", + "references": [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json deleted file mode 100644 index 7aa7ffcd3070..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", - "false_positives": [ - "Legitimate WebProxy Settings Modification" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "WebProxy Settings Modification", - "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", - "references": [ - "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", - "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json new file mode 100644 index 000000000000..b87f8c893eb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", + "false_positives": [ + "Legitimate WebProxy Settings Modification" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "WebProxy Settings Modification", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", + "references": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json new file mode 100644 index 000000000000..640cfe0b02cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", + "false_positives": [ + "Legitimate WebProxy Settings Modification" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "WebProxy Settings Modification", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", + "references": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json deleted file mode 100644 index 56c674313e42..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", - "false_positives": [ - "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." - ], - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Abnormally Large DNS Response", - "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.bytes", - "type": "long" - }, - { - "ecs": false, - "name": "type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "11013227-0301-4a8c-b150-4db924484475", - "severity": "medium", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "11013227-0301-4a8c-b150-4db924484475", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json new file mode 100644 index 000000000000..30991c035ad8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", + "false_positives": [ + "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." + ], + "index": [ + "packetbeat-*", + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormally Large DNS Response", + "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", + "query": "event.category:(network or network_traffic) and destination.port:53 and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.bytes", + "type": "long" + }, + { + "ecs": false, + "name": "type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11013227-0301-4a8c-b150-4db924484475", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "11013227-0301-4a8c-b150-4db924484475_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json new file mode 100644 index 000000000000..ffa44bfc8b6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", + "false_positives": [ + "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment." + ], + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormally Large DNS Response", + "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", + "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.bytes", + "type": "long" + }, + { + "ecs": false, + "name": "type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11013227-0301-4a8c-b150-4db924484475", + "severity": "medium", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "11013227-0301-4a8c-b150-4db924484475_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json deleted file mode 100644 index ac45fdb4181a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json new file mode 100644 index 000000000000..2fa35a97c97f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL SideLoading via Trusted Microsoft Programs", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json new file mode 100644 index 000000000000..f2c433f5f27c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL SideLoading via Trusted Microsoft Programs", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json deleted file mode 100644 index 6503a989ee9a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", - "references": [ - "https://github.com/AzAgarampur/byeintegrity-uac" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json new file mode 100644 index 000000000000..a4f7d4dc5732 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json new file mode 100644 index 000000000000..44b646dcb23b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json new file mode 100644 index 000000000000..b51c082e5321 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json deleted file mode 100644 index e43203b2c648..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", - "false_positives": [ - "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Snapshot Export", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "119c8877-8613-416d-a98a-96b6664ee73a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json new file mode 100644 index 000000000000..ef7e22cf9363 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", + "false_positives": [ + "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Export", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "119c8877-8613-416d-a98a-96b6664ee73a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json new file mode 100644 index 000000000000..2f6d8ee7cdcc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", + "false_positives": [ + "Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Export", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "119c8877-8613-416d-a98a-96b6664ee73a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json deleted file mode 100644 index cb93107f69de..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Script with Token Impersonation Capabilities", - "note": "", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", - "references": [ - "https://github.com/decoder-it/psgetsystem", - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.001", - "name": "Token Impersonation/Theft", - "reference": "https://attack.mitre.org/techniques/T1134/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - }, - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 - }, - "id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json new file mode 100644 index 000000000000..562916ddfebd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Token Impersonation Capabilities", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json new file mode 100644 index 000000000000..321a7caba073 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Token Impersonation Capabilities", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", + "references": [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json new file mode 100644 index 000000000000..a9f4619fef41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Token Impersonation Capabilities", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", + "references": [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json deleted file mode 100644 index 1ae9ee21be5a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", - "false_positives": [ - "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Third-party Backup Files Deleted via Unexpected Process", - "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", - "references": [ - "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json new file mode 100644 index 000000000000..a26f68d84c71 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", + "false_positives": [ + "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Third-party Backup Files Deleted via Unexpected Process", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n )\n", + "references": [ + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json new file mode 100644 index 000000000000..51fe1ad5d7c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", + "false_positives": [ + "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Third-party Backup Files Deleted via Unexpected Process", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", + "references": [ + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json new file mode 100644 index 000000000000..0bfc8600ac02 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", + "false_positives": [ + "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Third-party Backup Files Deleted via Unexpected Process", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", + "references": [ + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json deleted file mode 100644 index 9096a281a664..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", - "false_positives": [ - "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Route 53 Domain Transfer Lock Disabled", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "12051077-0124-4394-9522-8f4f4db1d674", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json new file mode 100644 index 000000000000..dcd0cb626122 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", + "false_positives": [ + "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route 53 Domain Transfer Lock Disabled", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "12051077-0124-4394-9522-8f4f4db1d674_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json new file mode 100644 index 000000000000..215dd753e613 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", + "false_positives": [ + "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route 53 Domain Transfer Lock Disabled", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "12051077-0124-4394-9522-8f4f4db1d674_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json deleted file mode 100644 index d96dc058afe3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Lsass Process Access", - "note": "## Setup", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", - "references": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.GrantedAccess", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetImage", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json new file mode 100644 index 000000000000..e53b81993211 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Lsass Process Access", + "note": "## Setup", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "128468bf-cab1-4637-99ea-fdf3780a4609_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json new file mode 100644 index 000000000000..62a83dab4ef4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Lsass Process Access", + "note": "## Setup", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "128468bf-cab1-4637-99ea-fdf3780a4609_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_5.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_5.json new file mode 100644 index 000000000000..183f57b12bd6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_5.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Lsass Process Access", + "note": "## Setup", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "128468bf-cab1-4637-99ea-fdf3780a4609_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json deleted file mode 100644 index f59634ce4c6b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", - "false_positives": [ - "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Suspicious Self-Subject Review", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", - "references": [ - "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", - "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.impersonatedUser.username", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1613", - "name": "Container and Resource Discovery", - "reference": "https://attack.mitre.org/techniques/T1613/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "12a2f15d-597e-4334-88ff-38a02cb1330b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json new file mode 100644 index 000000000000..1802695d1dfe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", + "false_positives": [ + "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Self-Subject Review", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.impersonatedUser.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json new file mode 100644 index 000000000000..45a44181f5d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", + "false_positives": [ + "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Self-Subject Review", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.impersonatedUser.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json deleted file mode 100644 index 8ba7bcd0bf9d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", - "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Pod Created With HostNetwork", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", - "references": [ - "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", - "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", - "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.hostNetwork", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "12cbf709-69e8-4055-94f9-24314385c27e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json new file mode 100644 index 000000000000..959528675fc1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostNetwork", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostNetwork", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "12cbf709-69e8-4055-94f9-24314385c27e_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json new file mode 100644 index 000000000000..dc8a147da3df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostNetwork", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostNetwork", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "12cbf709-69e8-4055-94f9-24314385c27e_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json deleted file mode 100644 index da521f958b47..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Cmd Execution via WMI", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json new file mode 100644 index 000000000000..2a407c237828 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Cmd Execution via WMI", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json new file mode 100644 index 000000000000..a7f94a6bfdac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Cmd Execution via WMI", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json deleted file mode 100644 index 4b3b5a3cb9e9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", - "false_positives": [ - "Legitimate scheduled jobs may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Scheduled Job Creation", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json new file mode 100644 index 000000000000..5a6f27d72047 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate scheduled jobs may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Scheduled Job Creation", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json new file mode 100644 index 000000000000..41d9c678ccd6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate scheduled jobs may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Scheduled Job Creation", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json deleted file mode 100644 index bfda5709b8c0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", - "false_positives": [ - "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_rare_user", - "name": "Rare User Logon", - "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - }, - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json new file mode 100644 index 000000000000..4bd2511ccb09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", + "false_positives": [ + "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_user", + "name": "Rare User Logon", + "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json new file mode 100644 index 000000000000..616fd66bbb01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", + "false_positives": [ + "User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_user", + "name": "Rare User Logon", + "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json deleted file mode 100644 index c6b3e1593597..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", - "false_positives": [ - "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure External Guest User Invitation", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.display_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json new file mode 100644 index 000000000000..cbab250ea30f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", + "false_positives": [ + "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure External Guest User Invitation", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json new file mode 100644 index 000000000000..c6f97e30c015 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", + "false_positives": [ + "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure External Guest User Invitation", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json deleted file mode 100644 index cc5bbcf10b9f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) from the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json new file mode 100644 index 000000000000..24bb9ebd7f04 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json new file mode 100644 index 000000000000..1f4b4c683a41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) from the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json deleted file mode 100644 index de33f77d5aae..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", - "false_positives": [ - "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes User Exec into Pod", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", - "references": [ - "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", - "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.subresource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1609", - "name": "Container Administration Command", - "reference": "https://attack.mitre.org/techniques/T1609/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json new file mode 100644 index 000000000000..634c36cadaae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", + "false_positives": [ + "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes User Exec into Pod", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", + "references": [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.subresource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json new file mode 100644 index 000000000000..89eb50bf9e8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", + "false_positives": [ + "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes User Exec into Pod", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", + "references": [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.subresource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json deleted file mode 100644 index 9cbdc499d3fc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Persistence via Time Provider Modification", - "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", - "references": [ - "https://pentestlab.blog/2019/10/22/persistence-time-providers/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.003", - "name": "Time Providers", - "reference": "https://attack.mitre.org/techniques/T1547/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json new file mode 100644 index 000000000000..f6b073d13688 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json new file mode 100644 index 000000000000..746c1f0ccfaf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json deleted file mode 100644 index ec8979084062..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", - "references": [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", - "https://labs.f-secure.com/tools/sharpgpoabuse", - "https://twitter.com/menasec1/status/1106899890377052160", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "message", - "type": "match_only_text" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessList", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.RelativeTargetName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ShareName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - }, - { - "id": "T1484", - "name": "Domain Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/", - "subtechnique": [ - { - "id": "T1484.001", - "name": "Group Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json new file mode 100644 index 000000000000..10453a35f8ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Scheduled Task Execution at Scale via GPO", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "host.os.type:windows and\n(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json new file mode 100644 index 000000000000..60a5b8164e2d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Scheduled Task Execution at Scale via GPO", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json new file mode 100644 index 000000000000..d2d78ee5c2e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Scheduled Task Execution at Scale via GPO", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json deleted file mode 100644 index f6c7e37ea125..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", - "references": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json new file mode 100644 index 000000000000..e952f35802e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json new file mode 100644 index 000000000000..2c04a81373f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json new file mode 100644 index 000000000000..f8295b85551c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json deleted file mode 100644 index 0d5d95f3dd54..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Virtual Private Network Connection Attempt", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", - "references": [ - "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", - "https://www.unix.com/man-page/osx/8/networksetup/", - "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "15dacaa0-5b90-466b-acab-63435a59701a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json new file mode 100644 index 000000000000..b609e48536d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Private Network Connection Attempt", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "15dacaa0-5b90-466b-acab-63435a59701a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json new file mode 100644 index 000000000000..8e61d73154ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Private Network Connection Attempt", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "15dacaa0-5b90-466b-acab-63435a59701a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json deleted file mode 100644 index 77806398d236..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Runbook Created or Modified", - "note": "", - "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json new file mode 100644 index 000000000000..ae5f6b16c861 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Created or Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_102.json b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_102.json new file mode 100644 index 000000000000..e835a4a7dc3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_102.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Created or Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json deleted file mode 100644 index db7dc76101a2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "File Creation Time Changed", - "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.006", - "name": "Timestomp", - "reference": "https://attack.mitre.org/techniques/T1070/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "166727ab-6768-4e26-b80c-948b228ffc06", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json new file mode 100644 index 000000000000..6eb782093d85 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Creation Time Changed", + "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "166727ab-6768-4e26-b80c-948b228ffc06_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json new file mode 100644 index 000000000000..ac29e70f6b81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Creation Time Changed", + "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "166727ab-6768-4e26-b80c-948b228ffc06_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json deleted file mode 100644 index 17a4a9f5e7f5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Kerberos Attack via Bifrost", - "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", - "references": [ - "https://github.com/its-a-feature/bifrost" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.003", - "name": "Pass the Ticket", - "reference": "https://attack.mitre.org/techniques/T1550/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.003", - "name": "Kerberoasting", - "reference": "https://attack.mitre.org/techniques/T1558/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "16904215-2c95-4ac8-bf5c-12354e047192", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json new file mode 100644 index 000000000000..94fd8abeb31d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Kerberos Attack via Bifrost", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", + "references": [ + "https://github.com/its-a-feature/bifrost" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "16904215-2c95-4ac8-bf5c-12354e047192_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json new file mode 100644 index 000000000000..22bfe1983d9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Kerberos Attack via Bifrost", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", + "references": [ + "https://github.com/its-a-feature/bifrost" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "16904215-2c95-4ac8-bf5c-12354e047192_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json deleted file mode 100644 index db70dcd76587..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", - "false_positives": [ - "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.003", - "name": "Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1136/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json new file mode 100644 index 000000000000..99febfa5ff99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", + "false_positives": [ + "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json new file mode 100644 index 000000000000..0e6154e1518b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", + "false_positives": [ + "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json deleted file mode 100644 index 808dfc88cc8a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Component Object Model Hijacking", - "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", - "references": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.015", - "name": "Component Object Model Hijacking", - "reference": "https://attack.mitre.org/techniques/T1546/015/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "16a52c14-7883-47af-8745-9357803f0d4c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json new file mode 100644 index 000000000000..adec25b5906b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n\n(\n (registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\\\\*\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL\\\\*\"\n ) and not \n (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\"))\n\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json new file mode 100644 index 000000000000..e38da2991d54 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json new file mode 100644 index 000000000000..d547b4bd07a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json deleted file mode 100644 index 64d9b46a1817..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", - "false_positives": [ - "Legitimate Administrative Activity" - ], - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", - "references": [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", - "https://labs.f-secure.com/tools/sharpgpoabuse" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "message", - "type": "match_only_text" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessList", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.RelativeTargetName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ShareName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1484", - "name": "Domain Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/", - "subtechnique": [ - { - "id": "T1484.001", - "name": "Group Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/001/" - } - ] - }, - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json new file mode 100644 index 000000000000..759cce7cb356 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", + "false_positives": [ + "Legitimate Administrative Activity" + ], + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Startup/Logon Script added to Group Policy Object", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "host.os.type:windows and\n(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json new file mode 100644 index 000000000000..a1d64169c913 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", + "false_positives": [ + "Legitimate Administrative Activity" + ], + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Startup/Logon Script added to Group Policy Object", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json new file mode 100644 index 000000000000..da08c4cdc8b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", + "false_positives": [ + "Legitimate Administrative Activity" + ], + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Startup/Logon Script added to Group Policy Object", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json deleted file mode 100644 index 9dd4f52d782c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_user_name" - ], - "name": "Unusual Windows Username", - "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - }, - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json new file mode 100644 index 000000000000..fad2c1ca4cab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_user_name" + ], + "name": "Unusual Windows Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json new file mode 100644 index 000000000000..8dba01fddb42 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_user_name" + ], + "name": "Unusual Windows Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json deleted file mode 100644 index d191b661b536..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_service" - ], - "name": "Unusual Windows Service", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json new file mode 100644 index 000000000000..0a08cd6f62ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_service" + ], + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json new file mode 100644 index 000000000000..4ee1fee6dc7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_service" + ], + "name": "Unusual Windows Service", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json deleted file mode 100644 index c4dc3430b106..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", - "false_positives": [ - "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_script" - ], - "name": "Suspicious Powershell Script", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json new file mode 100644 index 000000000000..6c6b9a1877a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_script" + ], + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json new file mode 100644 index 000000000000..1941e7b18959 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", + "false_positives": [ + "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_script" + ], + "name": "Suspicious Powershell Script", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json deleted file mode 100644 index bc141878347e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", - "false_positives": [ - "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_rare_user_runas_event" - ], - "name": "Unusual Windows User Privilege Elevation Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json new file mode 100644 index 000000000000..5c554c0ff87d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_runas_event" + ], + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json new file mode 100644 index 000000000000..0042fd44b719 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", + "false_positives": [ + "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_runas_event" + ], + "name": "Unusual Windows User Privilege Elevation Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json deleted file mode 100644 index 413ecc0648c7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", - "false_positives": [ - "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_rare_user_type10_remote_login" - ], - "name": "Unusual Windows Remote User", - "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json new file mode 100644 index 000000000000..265bf4caada0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_type10_remote_login" + ], + "name": "Unusual Windows Remote User", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json new file mode 100644 index 000000000000..319c0708a658 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", + "false_positives": [ + "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_user_type10_remote_login" + ], + "name": "Unusual Windows Remote User", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json deleted file mode 100644 index 9af397d20597..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "New Systemd Service Created by Previously Unknown Process", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", - "references": [ - "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.002", - "name": "Systemd Service", - "reference": "https://attack.mitre.org/techniques/T1543/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.002", - "name": "Systemd Service", - "reference": "https://attack.mitre.org/techniques/T1543/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json new file mode 100644 index 000000000000..69697e43085f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Service Created by Previously Unknown Process", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json new file mode 100644 index 000000000000..645e9fe62fcc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Service Created by Previously Unknown Process", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json deleted file mode 100644 index f5a41fa7606a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution - Short Program Name", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.003", - "name": "Rename System Utilities", - "reference": "https://attack.mitre.org/techniques/T1036/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json new file mode 100644 index 000000000000..cbeb95076230 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution - Short Program Name", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json new file mode 100644 index 000000000000..5da230f1d139 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution - Short Program Name", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json deleted file mode 100644 index 4bbd99ec16d0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_server_domain", - "name": "Unusual Network Destination Domain Name", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "17e68559-b274-4948-ad0b-f8415bb31126", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json new file mode 100644 index 000000000000..237cc1c6896b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "17e68559-b274-4948-ad0b-f8415bb31126_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json new file mode 100644 index 000000000000..0dbeeaae6aa0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_server_domain", + "name": "Unusual Network Destination Domain Name", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "17e68559-b274-4948-ad0b-f8415bb31126_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json deleted file mode 100644 index 569adbd9c2dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", - "false_positives": [ - "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Sink Modification", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", - "references": [ - "https://cloud.google.com/logging/docs/export#how_sinks_work" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Exfiltration" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json new file mode 100644 index 000000000000..b4df338e6077 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", + "false_positives": [ + "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/export#how_sinks_work" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json new file mode 100644 index 000000000000..9ffceae3b471 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", + "false_positives": [ + "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/export#how_sinks_work" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json deleted file mode 100644 index 2386464593dd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", - "false_positives": [ - "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." - ], - "from": "now-2h", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_error_code", - "name": "Rare AWS Error Code", - "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [], - "risk_score": 21, - "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide" - ], - "type": "machine_learning", - "version": 105 - }, - "id": "19de8096-e2b0-4bd8-80c9-34a820813fff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json new file mode 100644 index 000000000000..7bfe21a28193 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", + "false_positives": [ + "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_error_code", + "name": "Rare AWS Error Code", + "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "ML", + "Machine Learning", + "Investigation Guide" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json new file mode 100644 index 000000000000..86d408a7c775 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", + "false_positives": [ + "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_error_code", + "name": "Rare AWS Error Code", + "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json deleted file mode 100644 index d97c02b9bc78..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", - "false_positives": [ - "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Application Credential Modification", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json new file mode 100644 index 000000000000..d1cc7fedbaf9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", + "false_positives": [ + "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Application Credential Modification", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json new file mode 100644 index 000000000000..96547b848218 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", + "false_positives": [ + "Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Application Credential Modification", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json deleted file mode 100644 index d100b02c7fd8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of COM object via Xwizard", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", - "references": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1559", - "name": "Inter-Process Communication", - "reference": "https://attack.mitre.org/techniques/T1559/", - "subtechnique": [ - { - "id": "T1559.001", - "name": "Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1559/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json new file mode 100644 index 000000000000..71fd1bfceb8f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of COM object via Xwizard", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json new file mode 100644 index 000000000000..dfd56e70a529 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of COM object via Xwizard", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json deleted file mode 100644 index 429420bcae94..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", - "false_positives": [ - "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Suspended", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json new file mode 100644 index 000000000000..36a5ef0c60f6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", + "false_positives": [ + "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Suspended", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json new file mode 100644 index 000000000000..d8e8e3611000 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", + "false_positives": [ + "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Suspended", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json deleted file mode 100644 index 01e3ce16bb95..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "User Account Creation", - "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json new file mode 100644 index 000000000000..e02bccdd51fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Account Creation", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json new file mode 100644 index 000000000000..f5b2ab23204c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Account Creation", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json deleted file mode 100644 index aaec6caf6510..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", - "false_positives": [ - "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Internal Network via Telnet", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json new file mode 100644 index 000000000000..bd6a8921b641 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Internal Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json new file mode 100644 index 000000000000..6828730d76a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Internal Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json deleted file mode 100644 index a541d832cf9d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when an ElastiCache security group has been modified or deleted.", - "false_positives": [ - "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS ElastiCache Security Group Modified or Deleted", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json new file mode 100644 index 000000000000..bba5911de708 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an ElastiCache security group has been modified or deleted.", + "false_positives": [ + "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS ElastiCache Security Group Modified or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json new file mode 100644 index 000000000000..1a5b9326bed9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an ElastiCache security group has been modified or deleted.", + "false_positives": [ + "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS ElastiCache Security Group Modified or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json deleted file mode 100644 index 2ff99a657073..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", - "from": "now-9m", - "index": [ - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Internal Linux SSH Brute Force Detected", - "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 - }, - "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json new file mode 100644 index 000000000000..fa0433b5b60f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive login failures targeting an user account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=10s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json new file mode 100644 index 000000000000..e51c16abbdc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Internal Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json new file mode 100644 index 000000000000..c5cb6b9ca42d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Internal Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json new file mode 100644 index 000000000000..54de15f5bbdf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Internal Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json deleted file mode 100644 index 733f2e7b9def..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Possible Consent Grant Attack via Azure-Registered Application", - "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", - "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", - "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - }, - { - "package": "azure", - "version": "^1.0.0" - }, - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Operation", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json new file mode 100644 index 000000000000..18ada37843aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "Microsoft 365", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json new file mode 100644 index 000000000000..1709badc4a8c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json deleted file mode 100644 index 4997b2e0d63f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious File Creation in /etc for Persistence", - "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr//lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension == \"swp\"\n", - "references": [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/", - "subtechnique": [ - { - "id": "T1037.004", - "name": "RC Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/004/" - } - ] - }, - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - }, - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.002", - "name": "Systemd Service", - "reference": "https://attack.mitre.org/techniques/T1543/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json new file mode 100644 index 000000000000..b21d56c5aac3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json @@ -0,0 +1,164 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\")\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Orbit", + "Lightning Framework", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json new file mode 100644 index 000000000000..9ed472bd45af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json @@ -0,0 +1,164 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\", \"/kaniko/executor\")\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Orbit", + "Lightning Framework", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json new file mode 100644 index 000000000000..f2c7d10368a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json @@ -0,0 +1,163 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\", \"/kaniko/executor\")\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json new file mode 100644 index 000000000000..bbb734dd39d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr//lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension == \"swp\"\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json deleted file mode 100644 index 29fbd7c73974..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Kubernetes Rolebindings Created", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "1c966416-60c1-436b-bfd0-e002fddbfd89", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json new file mode 100644 index 000000000000..2c7207d549d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Rolebindings Created", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "1c966416-60c1-436b-bfd0-e002fddbfd89_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json new file mode 100644 index 000000000000..02bc2621bbc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Rolebindings Created", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "1c966416-60c1-436b-bfd0-e002fddbfd89_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json deleted file mode 100644 index 63bfa0997aeb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", - "false_positives": [ - "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming Execution via WinRM Remote Shell", - "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.006", - "name": "Windows Remote Management", - "reference": "https://attack.mitre.org/techniques/T1021/006/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json new file mode 100644 index 000000000000..a0ff7c96b7e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", + "false_positives": [ + "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via WinRM Remote Shell", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json new file mode 100644 index 000000000000..c4ee8676d06c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", + "false_positives": [ + "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via WinRM Remote Shell", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json new file mode 100644 index 000000000000..46fe5fc49d05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", + "false_positives": [ + "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via WinRM Remote Shell", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json deleted file mode 100644 index 5e1797d491fd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "1d276579-3380-4095-ad38-e596a01bc64f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json new file mode 100644 index 000000000000..c6ee27eee4a8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json new file mode 100644 index 000000000000..61113869feb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json new file mode 100644 index 000000000000..6b2029475a53 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json deleted file mode 100644 index 0e06cd157cb6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", - "false_positives": [ - "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "External IP Lookup from Non-Browser Process", - "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", - "references": [ - "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/", - "subtechnique": [ - { - "id": "T1016.001", - "name": "Internet Connection Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/001/" - } - ] - }, - { - "id": "T1614", - "name": "System Location Discovery", - "reference": "https://attack.mitre.org/techniques/T1614/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "1d72d014-e2ab-4707-b056-9b96abe7b511", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json new file mode 100644 index 000000000000..04046e907a0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", + "false_positives": [ + "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "External IP Lookup from Non-Browser Process", + "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", + "references": [ + "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1614", + "name": "System Location Discovery", + "reference": "https://attack.mitre.org/techniques/T1614/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json new file mode 100644 index 000000000000..dd611092cbe4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", + "false_positives": [ + "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "External IP Lookup from Non-Browser Process", + "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", + "references": [ + "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1614", + "name": "System Location Discovery", + "reference": "https://attack.mitre.org/techniques/T1614/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json deleted file mode 100644 index 29847c480ccf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", - "false_positives": [ - "Legitimate PowerShell Scripts which makes use of encryption." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Script with Encryption/Decryption Capabilities", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json new file mode 100644 index 000000000000..caeb2831ea3e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of encryption." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Encryption/Decryption Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + }, + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json new file mode 100644 index 000000000000..ddc31dc64091 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of encryption." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Encryption/Decryption Capabilities", + "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : (\n CipherMode and \n PaddingMode and \n ( \n Cryptography.AESManaged or \n Cryptography.RijndaelManaged or \n Cryptography.SHA1Managed or \n Cryptography.SHA256Managed or \n Cryptography.SHA384Managed or \n Cryptography.SHA512Managed or \n Cryptography.SymmetricAlgorithm or \n PasswordDeriveBytes or \n Rfc2898DeriveBytes\n ) and (.CreateDecryptor or .CreateEncryptor)) and not user.id:S-1-5-18\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json new file mode 100644 index 000000000000..6d0e1e698304 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of encryption." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Encryption/Decryption Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json deleted file mode 100644 index 1987c05fb790..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json new file mode 100644 index 000000000000..3341b351e4e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json new file mode 100644 index 000000000000..e658a6b8fea9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json deleted file mode 100644 index 2fb1748dc5f2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Inter-Process Communication via Outlook", - "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", - "references": [ - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.effective_parent.executable", - "type": "unknown" - }, - { - "ecs": false, - "name": "process.Ext.effective_parent.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.001", - "name": "Local Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1559", - "name": "Inter-Process Communication", - "reference": "https://attack.mitre.org/techniques/T1559/", - "subtechnique": [ - { - "id": "T1559.001", - "name": "Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1559/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json new file mode 100644 index 000000000000..46dc0e8cb839 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Inter-Process Communication via Outlook", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", + "references": [ + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json new file mode 100644 index 000000000000..e5551aa2d93c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Inter-Process Communication via Outlook", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", + "references": [ + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json deleted file mode 100644 index 5f2ca6db622e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", - "from": "now-120m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of File Written or Modified by PDF Reader", - "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "1defdd62-cd8d-426e-a246-81a37751bb2b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json new file mode 100644 index 000000000000..c5a55ac2f9c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by PDF Reader", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json new file mode 100644 index 000000000000..93c82ecc26d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by PDF Reader", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json deleted file mode 100644 index 4e9cbe539a14..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", - "false_positives": [ - "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Storage Account Key Regenerated", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "1e0b832e-957e-43ae-b319-db82d228c908", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json new file mode 100644 index 000000000000..837cb1cb027f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", + "false_positives": [ + "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Storage Account Key Regenerated", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "1e0b832e-957e-43ae-b319-db82d228c908_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json new file mode 100644 index 000000000000..62618d7891de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", + "false_positives": [ + "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Storage Account Key Regenerated", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "1e0b832e-957e-43ae-b319-db82d228c908_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json deleted file mode 100644 index f32c5b7a0915..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", - "false_positives": [ - "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_rare_sudo_user" - ], - "name": "Unusual Sudo Activity", - "risk_score": 21, - "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json new file mode 100644 index 000000000000..bc8edf82fdb8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", + "false_positives": [ + "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_sudo_user" + ], + "name": "Unusual Sudo Activity", + "risk_score": 21, + "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json new file mode 100644 index 000000000000..e4d3fad717ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", + "false_positives": [ + "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_sudo_user" + ], + "name": "Unusual Sudo Activity", + "risk_score": 21, + "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json deleted file mode 100644 index 1f4d2d84f87c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", - "references": [ - "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 - }, - "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json new file mode 100644 index 000000000000..4a49f8f89729 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "PowerShell", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json new file mode 100644 index 000000000000..c03f9f460a15 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "PowerShell", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json new file mode 100644 index 000000000000..9365f384dcef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : (\n AmsiInitialize or \n AmsiX32 or \n AmsiX64 or \n AntimalwareProvider or \n Bypass.AMSI or \n FindAmsiFun or \n Invoke-AmsiBypass or \n System.Management.Automation.AmsiUtils or \n System.Management.Automation.ScriptBlock or \n amsi.dll or \n amsiContext or \n amsiInitFailed or \n amsiSession or \n unloadobfuscated or \n unloadsilent or \n VirtualProtect and \"[System.Runtime.InteropServices.Marshal]::Copy\" or \n \".SetValue(\" and \"[Ref].Assembly.GetType(('System.Management.Automation\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json new file mode 100644 index 000000000000..3b8e31095b68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json deleted file mode 100644 index 29b164b4b99e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_rare_metadata_user" - ], - "name": "Unusual Linux User Calling the Metadata Service", - "risk_score": 21, - "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.005", - "name": "Cloud Instance Metadata API", - "reference": "https://attack.mitre.org/techniques/T1552/005/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "1faec04b-d902-4f89-8aff-92cd9043c16f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json new file mode 100644 index 000000000000..f9fe9a6ab979 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_user" + ], + "name": "Unusual Linux User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json new file mode 100644 index 000000000000..d0a2d96639e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_user" + ], + "name": "Unusual Linux User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json deleted file mode 100644 index 45bb607fce3b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json new file mode 100644 index 000000000000..8d6c95066ea7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json new file mode 100644 index 000000000000..13147c416dee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json new file mode 100644 index 000000000000..7664af936752 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json deleted file mode 100644 index 4696436f2bba..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Exploit - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json new file mode 100644 index 000000000000..1d888baaf47c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json new file mode 100644 index 000000000000..f63117b5a9bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json deleted file mode 100644 index b9563c4019b0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious .NET code execution. connections.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious .NET Code Compilation", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/", - "subtechnique": [ - { - "id": "T1027.004", - "name": "Compile After Delivery", - "reference": "https://attack.mitre.org/techniques/T1027/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json new file mode 100644 index 000000000000..b280913119e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious .NET code execution. connections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious .NET Code Compilation", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json new file mode 100644 index 000000000000..e82a12a0207b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious .NET code execution. connections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious .NET Code Compilation", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json deleted file mode 100644 index 510e62e44d56..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", - "false_positives": [ - "Certain applications may install root certificates for the purpose of inspecting SSL traffic." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation or Modification of Root Certificate", - "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", - "references": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", - "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.004", - "name": "Install Root Certificate", - "reference": "https://attack.mitre.org/techniques/T1553/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json new file mode 100644 index 000000000000..4c96a3f46abf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json new file mode 100644 index 000000000000..6874e047c0c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json deleted file mode 100644 index 8a57d3425042..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", - "false_positives": [ - "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Route 53 Domain Transferred to Another Account", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json new file mode 100644 index 000000000000..4c0df8e7b7dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", + "false_positives": [ + "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route 53 Domain Transferred to Another Account", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json new file mode 100644 index 000000000000..89ad4ce55e7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", + "false_positives": [ + "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route 53 Domain Transferred to Another Account", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json deleted file mode 100644 index 6a72e7ce2bd8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access of Stored Browser Credentials", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", - "references": [ - "https://securelist.com/calisto-trojan-for-macos/86543/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1539", - "name": "Steal Web Session Cookie", - "reference": "https://attack.mitre.org/techniques/T1539/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.003", - "name": "Credentials from Web Browsers", - "reference": "https://attack.mitre.org/techniques/T1555/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json new file mode 100644 index 000000000000..bcc7745ea47f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access of Stored Browser Credentials", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", + "references": [ + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json new file mode 100644 index 000000000000..76f2d715fa98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access of Stored Browser Credentials", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", + "references": [ + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json deleted file mode 100644 index cbdead02160b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", - "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", - "https://attack.mitre.org/techniques/T1003/001/", - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "http://findingbad.blogspot.com/2017/", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMask", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMaskDescription", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ObjectName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ProcessName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json new file mode 100644 index 000000000000..786ad7d7d14a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Handle Access", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json new file mode 100644 index 000000000000..bde9738ae4e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Handle Access", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json new file mode 100644 index 000000000000..d7da21fbcb0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Handle Access", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json new file mode 100644 index 000000000000..360d5197c2ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Handle Access", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json deleted file mode 100644 index 71ad202a883d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", - "false_positives": [ - "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." - ], - "from": "now-130m", - "history_window_start": "now-15d", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "new_terms_fields": [ - "google_workspace.token.client.id" - ], - "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", - "references": [ - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://developers.google.com/apps-script/guides/bound", - "https://developers.google.com/identity/protocols/oauth2" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.token.client.id", - "type": "unknown" - }, - { - "ecs": false, - "name": "google_workspace.token.scope.data.scope_name", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Defense Evasion", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json new file mode 100644 index 000000000000..b0d2de243ef5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", + "false_positives": [ + "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." + ], + "from": "now-130m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", + "new_terms_fields": [ + "google_workspace.token.client.id" + ], + "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://developers.google.com/identity/protocols/oauth2" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.token.scope.data.scope_name", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Defense Evasion", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json new file mode 100644 index 000000000000..73178c0d3061 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", + "false_positives": [ + "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." + ], + "from": "now-130m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", + "new_terms_fields": [ + "google_workspace.token.client.id" + ], + "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://developers.google.com/identity/protocols/oauth2" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.token.scope.data.scope_name", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Defense Evasion", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json deleted file mode 100644 index 4d739f417cf4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Full User-Mode Dumps Enabled System-Wide", - "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json new file mode 100644 index 000000000000..504bc6e26e4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Full User-Mode Dumps Enabled System-Wide", + "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json new file mode 100644 index 000000000000..f3bee61c2cec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Full User-Mode Dumps Enabled System-Wide", + "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json deleted file mode 100644 index 8d3b8bd8bef5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SSH Authorized Keys File Modification", - "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.004", - "name": "SSH Authorized Keys", - "reference": "https://attack.mitre.org/techniques/T1098/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1563", - "name": "Remote Service Session Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/", - "subtechnique": [ - { - "id": "T1563.001", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1563/001/" - } - ] - }, - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json new file mode 100644 index 000000000000..b99d04d39cc3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH Authorized Keys File Modification", + "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Lateral Movement", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + }, + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json new file mode 100644 index 000000000000..5e2272385751 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH Authorized Keys File Modification", + "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + }, + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json deleted file mode 100644 index 0c246b1eaa4e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "http.request.body.content", - "type": "wildcard" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "22599847-5d13-48cb-8872-5796fee8692b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json new file mode 100644 index 000000000000..ed254e07f711 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SUNBURST Command and Control Activity", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "22599847-5d13-48cb-8872-5796fee8692b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json new file mode 100644 index 000000000000..d375aa1d8670 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SUNBURST Command and Control Activity", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "22599847-5d13-48cb-8872-5796fee8692b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json new file mode 100644 index 000000000000..820a2cb182c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SUNBURST Command and Control Activity", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "22599847-5d13-48cb-8872-5796fee8692b_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json deleted file mode 100644 index 2b47f821aaa0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", - "false_positives": [ - "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS S3 Bucket Configuration Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "227dc608-e558-43d9-b521-150772250bae", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "227dc608-e558-43d9-b521-150772250bae", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json new file mode 100644 index 000000000000..1475e21548a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", + "false_positives": [ + "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Configuration Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "227dc608-e558-43d9-b521-150772250bae", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "227dc608-e558-43d9-b521-150772250bae_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json new file mode 100644 index 000000000000..8168b8f3055c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", + "false_positives": [ + "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS S3 Bucket Configuration Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "227dc608-e558-43d9-b521-150772250bae", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "227dc608-e558-43d9-b521-150772250bae_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json deleted file mode 100644 index 94f89fdd89b7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", - "false_positives": [ - "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Permissions Modification", - "note": "", - "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", - "references": [ - "https://cloud.google.com/storage/docs/access-control/iam-permissions" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json new file mode 100644 index 000000000000..1a971623b8ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Permissions Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", + "references": [ + "https://cloud.google.com/storage/docs/access-control/iam-permissions" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json new file mode 100644 index 000000000000..cac4413ae142 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Permissions Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", + "references": [ + "https://cloud.google.com/storage/docs/access-control/iam-permissions" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json deleted file mode 100644 index 4d0fc7521530..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kernel module load via insmod", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", - "references": [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "2339f03c-f53f-40fa-834b-40c5983fc41f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json new file mode 100644 index 000000000000..8e4b0df32c34 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel module load via insmod", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Rootkit", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json new file mode 100644 index 000000000000..e0b35026f909 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel module load via insmod", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json deleted file mode 100644 index 0e83b30e2d0a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Lateral Movement via Startup Folder", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", - "references": [ - "https://www.mdsec.co.uk/2017/06/rdpinception/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json new file mode 100644 index 000000000000..c9d1adfe3000 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Movement via Startup Folder", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", + "references": [ + "https://www.mdsec.co.uk/2017/06/rdpinception/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json new file mode 100644 index 000000000000..79f3eea5787d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Movement via Startup Folder", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", + "references": [ + "https://www.mdsec.co.uk/2017/06/rdpinception/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json deleted file mode 100644 index b401e940a5db..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", - "false_positives": [ - "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Blob Container Access Level Modification", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Asset Visibility", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1526", - "name": "Cloud Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1526/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json new file mode 100644 index 000000000000..36de3d9f1099 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", + "false_positives": [ + "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Container Access Level Modification", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json new file mode 100644 index 000000000000..ef0c23e0cc83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", + "false_positives": [ + "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Container Access Level Modification", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Asset Visibility", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1526", + "name": "Cloud Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1526/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json deleted file mode 100644 index 29848bebb450..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", - "references": [ - "https://github.com/irsl/CVE-2020-1313" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json new file mode 100644 index 000000000000..603337b48183 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "CVE-2020-1313", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json new file mode 100644 index 000000000000..5a40b1406929 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "CVE-2020-1313", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json new file mode 100644 index 000000000000..e9c9f2a48b8a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json deleted file mode 100644 index a2953b42df9a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privileges Elevation via Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", - "references": [ - "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", - "https://blog.didierstevens.com/2017/03/20/", - "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.parent.Ext.real.pid", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.002", - "name": "Create Process with Token", - "reference": "https://attack.mitre.org/techniques/T1134/002/" - }, - { - "id": "T1134.004", - "name": "Parent PID Spoofing", - "reference": "https://attack.mitre.org/techniques/T1134/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json new file mode 100644 index 000000000000..d1d5ed6ef5d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json new file mode 100644 index 000000000000..088d94afbed8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json deleted file mode 100644 index a226c10b3c5b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Active Directory High Risk User Sign-in Heuristic", - "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` or `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.signinlogs.properties.risk_state", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "26edba02-6979-4bce-920a-70b080a7be81", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json new file mode 100644 index 000000000000..a6ec4a3fd31b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory High Risk User Sign-in Heuristic", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` or `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_state", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "26edba02-6979-4bce-920a-70b080a7be81_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json new file mode 100644 index 000000000000..6df640ed2b2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory High Risk User Sign-in Heuristic", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` or `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_state", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "26edba02-6979-4bce-920a-70b080a7be81_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json deleted file mode 100644 index 3692428ddff1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Willem D'Haese", - "Austin Songer" - ], - "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempts to Brute Force a Microsoft 365 User Account", - "note": "", - "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", - "references": [ - "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.LogonError", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "user.id" - ], - "value": 10 - }, - "type": "threshold", - "version": 102 - }, - "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json new file mode 100644 index 000000000000..61128bd43140 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 101 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json new file mode 100644 index 000000000000..acf3473a3f84 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 102 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json deleted file mode 100644 index 00a257b43eab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", - "false_positives": [ - "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Transport Rule Modification", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Exfiltration" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "272a6484-2663-46db-a532-ef734bf9a796", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json new file mode 100644 index 000000000000..826dc0878bc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json new file mode 100644 index 000000000000..0210052594ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json deleted file mode 100644 index 31bfdec54fec..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", - "false_positives": [ - "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming Execution via PowerShell Remoting", - "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.006", - "name": "Windows Remote Management", - "reference": "https://attack.mitre.org/techniques/T1021/006/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "2772264c-6fb9-4d9d-9014-b416eed21254", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json new file mode 100644 index 000000000000..a02c4f8f5313 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", + "false_positives": [ + "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via PowerShell Remoting", + "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "2772264c-6fb9-4d9d-9014-b416eed21254_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json new file mode 100644 index 000000000000..b3ee668ddfbe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", + "false_positives": [ + "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via PowerShell Remoting", + "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "2772264c-6fb9-4d9d-9014-b416eed21254_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json new file mode 100644 index 000000000000..1b8ca3ba8c83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", + "false_positives": [ + "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via PowerShell Remoting", + "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "2772264c-6fb9-4d9d-9014-b416eed21254_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json deleted file mode 100644 index 26bf2b257ce6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", - "false_positives": [ - "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Modification", - "note": "", - "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls", - "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json new file mode 100644 index 000000000000..3e20321cf6b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "false_positives": [ + "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json new file mode 100644 index 000000000000..2cb608156d8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "false_positives": [ + "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json deleted file mode 100644 index df8012357c3b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", - "false_positives": [ - "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams External Access Enabled", - "note": "", - "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.AllowFederatedUsers", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json new file mode 100644 index 000000000000..eb50cad9ca3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json new file mode 100644 index 000000000000..a612633abb3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json deleted file mode 100644 index e1614231f789..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", - "false_positives": [ - "Legitimate remote account administration." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Account Password Reset Remotely", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", - "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetSid", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json new file mode 100644 index 000000000000..d7d212a6b917 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where host.os.type == \"windows\" and event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json new file mode 100644 index 000000000000..3f2649af97a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json new file mode 100644 index 000000000000..b97a4faeaa70 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json deleted file mode 100644 index 7570e8baf87e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Account Discovery Command via SYSTEM Account", - "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.IntegrityLevel", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json new file mode 100644 index 000000000000..6469ade281be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Discovery Command via SYSTEM Account", + "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json new file mode 100644 index 000000000000..8c4ae873221c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Discovery Command via SYSTEM Account", + "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json deleted file mode 100644 index 3b1896303748..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Exploit - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json new file mode 100644 index 000000000000..9f5184db2af8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json new file mode 100644 index 000000000000..8888e568535b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624.json deleted file mode 100644 index 9ce78d556252..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious File Changes Activity Detected", - "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100 | tail 1\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1486", - "name": "Data Encrypted for Impact", - "reference": "https://attack.mitre.org/techniques/T1486/" - } - ] - } - ], - "type": "eql", - "version": 3 - }, - "id": "28738f9f-7427-4d23-bc69-756708b5f624", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json new file mode 100644 index 000000000000..4cccb8fb3e52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. This rule identifies a sequence of 50 file extension rename events by the same process in a timespan of 1 second.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Changes Activity Detected", + "query": "sequence by host.id, process.entity_id, file.extension with maxspan=1s \n[ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50 | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "28738f9f-7427-4d23-bc69-756708b5f624_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json new file mode 100644 index 000000000000..cb3054e59f13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. This rule identifies a sequence of 50 file extension rename events by the same process in a timespan of 1 second.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Changes Activity Detected", + "query": "sequence by host.id, process.entity_id, file.extension with maxspan=1s \n[ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50 | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "28738f9f-7427-4d23-bc69-756708b5f624_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json new file mode 100644 index 000000000000..f680ccf825b9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Changes Activity Detected", + "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100 | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "28738f9f-7427-4d23-bc69-756708b5f624_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json deleted file mode 100644 index 25d311d9f027..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", - "false_positives": [ - "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Security Group Configuration Change Detection", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "29052c19-ff3e-42fd-8363-7be14d7c5469", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json new file mode 100644 index 000000000000..d4c0c044d033 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", + "false_positives": [ + "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Group Configuration Change Detection", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json new file mode 100644 index 000000000000..5c47f4cfb49e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", + "false_positives": [ + "A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Group Configuration Change Detection", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json deleted file mode 100644 index 458adac1ceab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", - "references": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json new file mode 100644 index 000000000000..250654568693 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json new file mode 100644 index 000000000000..1102adb0f336 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json new file mode 100644 index 000000000000..dcea0d72adc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json deleted file mode 100644 index a2efba023031..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ - "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Web Shell Detection: Script Process Child of Common Web Processes", - "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", - "references": [ - "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", - "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2917d495-59bd-4250-b395-c29409b76086", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json new file mode 100644 index 000000000000..005ac8bcc31f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Shell Detection: Script Process Child of Common Web Processes", + "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2917d495-59bd-4250-b395-c29409b76086_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json new file mode 100644 index 000000000000..55ece56de200 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Shell Detection: Script Process Child of Common Web Processes", + "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2917d495-59bd-4250-b395-c29409b76086_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json deleted file mode 100644 index 53c7c44db54e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "group.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallerProcessName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetSid", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.001", - "name": "Local Groups", - "reference": "https://attack.mitre.org/techniques/T1069/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json new file mode 100644 index 000000000000..fbed07ea1e9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json new file mode 100644 index 000000000000..7c66a883eb34 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json new file mode 100644 index 000000000000..c06272b7a3fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json new file mode 100644 index 000000000000..8791a4723f5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json deleted file mode 100644 index 1e6c357113dd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Code Execution via Postgresql", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (process.parent.args : \"*sh\" or process.args : \"*sh\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "2a692072-d78d-42f3-a48a-775677d79c4e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json new file mode 100644 index 000000000000..6d06f5e95cde --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Code Execution via Postgresql", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (process.parent.args : \"*sh\" or process.args : \"*sh\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "2a692072-d78d-42f3-a48a-775677d79c4e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json deleted file mode 100644 index a03d82b25600..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", - "false_positives": [ - "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", - "references": [ - "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", - "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json new file mode 100644 index 000000000000..ea9f982c6d64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", + "false_positives": [ + "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", + "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json new file mode 100644 index 000000000000..a1ee2d9a123a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", + "false_positives": [ + "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", + "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json deleted file mode 100644 index 619258392e63..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "ESXI Discovery via Grep", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args : (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json new file mode 100644 index 000000000000..260d1c5c664f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Grep", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args : (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json new file mode 100644 index 000000000000..1da9c129a305 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Grep", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args : (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json deleted file mode 100644 index 8dcd755d781b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", - "references": [ - "https://twitter.com/pabraeken/status/997997818362155008" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.010", - "name": "Services File Permissions Weakness", - "reference": "https://attack.mitre.org/techniques/T1574/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json new file mode 100644 index 000000000000..b0fe7971abf8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json new file mode 100644 index 000000000000..f5c8b9bbe5d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json new file mode 100644 index 000000000000..69dcd329dbdf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json deleted file mode 100644 index 5fdba76c8766..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Defender Exclusions Added via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", - "references": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - }, - { - "id": "T1562.006", - "name": "Indicator Blocking", - "reference": "https://attack.mitre.org/techniques/T1562/006/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json new file mode 100644 index 000000000000..3599082ed689 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Exclusions Added via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", + "references": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json new file mode 100644 index 000000000000..777c6e29d34a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Exclusions Added via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", + "references": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json deleted file mode 100644 index 2e0ce763bd23..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Microsoft Diagnostics Wizard Execution", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", - "references": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json new file mode 100644 index 000000000000..2d50a5612bc6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Microsoft Diagnostics Wizard Execution", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", + "references": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json new file mode 100644 index 000000000000..d2591de1d347 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Microsoft Diagnostics Wizard Execution", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", + "references": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json deleted file mode 100644 index 387d56be850b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Kernel Modules", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and \n((process.name == \"kmod\" and process.args == \"list\") or (process.name == \"modinfo\" and process.parent.user.id != \"0\") or \n(process.name == \"depmod\" and process.args in (\"--all\", \"-a\") and process.parent.user.id != \"0\") \nor process.name == \"lsmod\") and not process.parent.name : (\"vboxmanage\", \"virtualbox\", \"prime-offload\", \"vboxdrv.sh\") and not \nprocess.group_leader.name : \"qualys-cloud-agent\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.group_leader.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "2d8043ed-5bda-4caf-801c-c1feb7410504", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json new file mode 100644 index 000000000000..f801ee1e16ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json new file mode 100644 index 000000000000..0efd5cb88088 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and \n((process.name == \"kmod\" and process.args == \"list\") or (process.name == \"modinfo\" and process.parent.user.id != \"0\") or \n(process.name == \"depmod\" and process.args in (\"--all\", \"-a\") and process.parent.user.id != \"0\") \nor process.name == \"lsmod\") and not process.parent.name : (\"vboxmanage\", \"virtualbox\", \"prime-offload\", \"vboxdrv.sh\") and not \nprocess.group_leader.name : \"qualys-cloud-agent\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.group_leader.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json deleted file mode 100644 index f919ba3f28fa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", - "references": [ - "https://twitter.com/SBousseaden/status/1278013896440324096", - "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetImage", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 108 - }, - "id": "2dd480be-1263-4d9c-8672-172928f6789a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json new file mode 100644 index 000000000000..e3a6bcf9c31b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json new file mode 100644 index 000000000000..fbeeb3fe1790 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json new file mode 100644 index 000000000000..8ecdb2de074f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_108.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_108.json new file mode 100644 index 000000000000..cabe5470f6a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_108.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json deleted file mode 100644 index c3062b28adc5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "O365 Excessive Single Sign-On Logon Errors", - "note": "", - "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.LogonError", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "user.id" - ], - "value": 5 - }, - "type": "threshold", - "version": 102 - }, - "id": "2de10e77-c144-4e69-afb7-344e7127abd0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json new file mode 100644 index 000000000000..f4404b64b315 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "type": "threshold", + "version": 101 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json new file mode 100644 index 000000000000..e94d0ff5b741 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "type": "threshold", + "version": 102 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json deleted file mode 100644 index 281bc2f564de..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Wireless Credential Dumping using Netsh Command", - "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", - "references": [ - "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", - "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json new file mode 100644 index 000000000000..f6a985a6662d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Wireless Credential Dumping using Netsh Command", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", + "references": [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Discovery", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json new file mode 100644 index 000000000000..deff664a3ed0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Wireless Credential Dumping using Netsh Command", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", + "references": [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Discovery", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json new file mode 100644 index 000000000000..7d08ff6488dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Wireless Credential Dumping using Netsh Command", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", + "references": [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json deleted file mode 100644 index c182d0c3e7e1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.003", - "name": "Rename System Utilities", - "reference": "https://attack.mitre.org/techniques/T1036/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json new file mode 100644 index 000000000000..9264b10aa1e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json new file mode 100644 index 000000000000..8e15b4ec3745 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json new file mode 100644 index 000000000000..db7ce9023e2f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json deleted file mode 100644 index f699148564ab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", - "false_positives": [ - "Legitimate PowerShell scripts that make use of these functions." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Process Injection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", - "references": [ - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", - "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.001", - "name": "Dynamic-link Library Injection", - "reference": "https://attack.mitre.org/techniques/T1055/001/" - }, - { - "id": "T1055.002", - "name": "Portable Executable Injection", - "reference": "https://attack.mitre.org/techniques/T1055/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json new file mode 100644 index 000000000000..d9c0c3ce5997 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Process Injection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json new file mode 100644 index 000000000000..4a9c13ee11d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Process Injection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json new file mode 100644 index 000000000000..4aa2642826ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Process Injection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json deleted file mode 100644 index 29fa661fc7a6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", - "false_positives": [ - "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Halfbaked Command and Control Beacon", - "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", - "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://attack.mitre.org/software/S0151/" - ], - "related_integrations": [], - "risk_score": 73, - "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "2e580225-2a58-48ef-938b-572933be06fe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json new file mode 100644 index 000000000000..3186cd23e91d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Halfbaked Command and Control Beacon", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://attack.mitre.org/software/S0151/" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "2e580225-2a58-48ef-938b-572933be06fe_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json new file mode 100644 index 000000000000..c04e3f89f36d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Halfbaked Command and Control Beacon", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://attack.mitre.org/software/S0151/" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "2e580225-2a58-48ef-938b-572933be06fe_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json deleted file mode 100644 index 6bb27cae83b3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of a Hidden Local User Account", - "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", - "references": [ - "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json new file mode 100644 index 000000000000..67474d69a046 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a Hidden Local User Account", + "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json new file mode 100644 index 000000000000..31b4db5c8504 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a Hidden Local User Account", + "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json deleted file mode 100644 index b2e3e524a2fa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1123", - "name": "Audio Capture", - "reference": "https://attack.mitre.org/techniques/T1123/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json new file mode 100644 index 000000000000..b2cb39868d44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json new file mode 100644 index 000000000000..5a29c407f4c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json deleted file mode 100644 index 8a41657115f8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Disable Syslog Service", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2f8a1226-5720-437d-9c20-e0029deb6194", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json new file mode 100644 index 000000000000..2d4a329ca856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Syslog Service", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n ((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill)))\n and process.args:(syslog or rsyslog or \"syslog-ng\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "2f8a1226-5720-437d-9c20-e0029deb6194_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json new file mode 100644 index 000000000000..6d875c7a2fe1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Syslog Service", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n ((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill)))\n and process.args:(syslog or rsyslog or \"syslog-ng\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "2f8a1226-5720-437d-9c20-e0029deb6194_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json new file mode 100644 index 000000000000..1f12374c343d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable Syslog Service", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2f8a1226-5720-437d-9c20-e0029deb6194_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json deleted file mode 100644 index cd24dfe44b61..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json new file mode 100644 index 000000000000..52b3cba122b9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Folder Persistence via Unsigned Process", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json new file mode 100644 index 000000000000..94ae73e7b951 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Folder Persistence via Unsigned Process", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json new file mode 100644 index 000000000000..4d3d29f08b64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Folder Persistence via Unsigned Process", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json deleted file mode 100644 index bbc60cc530d9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Defender Disabled via Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", - "references": [ - "https://thedfirreport.com/2020/12/13/defender-control/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - }, - { - "id": "T1562.006", - "name": "Indicator Blocking", - "reference": "https://attack.mitre.org/techniques/T1562/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json new file mode 100644 index 000000000000..5a57e0cdfb2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json new file mode 100644 index 000000000000..9bd27ff1ab5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json deleted file mode 100644 index 893df7f4a2e9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", - "false_positives": [ - "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls", - "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "30562697-9859-4ae0-a8c5-dab45d664170", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json new file mode 100644 index 000000000000..76dbea350e79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "false_positives": [ + "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "30562697-9859-4ae0-a8c5-dab45d664170_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json new file mode 100644 index 000000000000..a4ef8f5387ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "false_positives": [ + "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "30562697-9859-4ae0-a8c5-dab45d664170_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json deleted file mode 100644 index 3d37e5f8861e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "ESXI Timestomping using Touch Command", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.006", - "name": "Timestomp", - "reference": "https://attack.mitre.org/techniques/T1070/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json new file mode 100644 index 000000000000..3e3f27a2f57d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json new file mode 100644 index 000000000000..d2c2648923d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json deleted file mode 100644 index c75d2ab943f8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", - "false_positives": [ - "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." - ], - "from": "now-9m", - "index": [ - "logs-*", - "metrics-*", - "traces-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Agent Spoofing - Mismatched Agent ID", - "query": "event.agent_id_status:agent_id_mismatch\n", - "required_fields": [ - { - "ecs": true, - "name": "event.agent_id_status", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json new file mode 100644 index 000000000000..e2674d5ce921 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Mismatched Agent ID", + "query": "event.agent_id_status:agent_id_mismatch\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", + "severity": "high", + "tags": [ + "Elastic", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json new file mode 100644 index 000000000000..182ea8871aaf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Mismatched Agent ID", + "query": "event.agent_id_status:agent_id_mismatch\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json deleted file mode 100644 index 4fc5f104a607..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", - "false_positives": [ - "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Inbound Connection to an Unsecure Elasticsearch Node", - "note": "", - "query": "event.dataset: network_traffic.http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", - "references": [ - "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", - "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" - ], - "related_integrations": [], - "risk_score": 47, - "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", - "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", - "severity": "medium", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "31295df3-277b-4c56-a1fb-84e31b4222a9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json new file mode 100644 index 000000000000..26e3c08f73b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", + "false_positives": [ + "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Inbound Connection to an Unsecure Elasticsearch Node", + "note": "", + "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", + "references": [ + "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", + "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" + ], + "related_integrations": [], + "risk_score": 47, + "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", + "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Initial Access", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "31295df3-277b-4c56-a1fb-84e31b4222a9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json new file mode 100644 index 000000000000..7b814561d70f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", + "false_positives": [ + "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Inbound Connection to an Unsecure Elasticsearch Node", + "note": "", + "query": "event.dataset: network_traffic.http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", + "references": [ + "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", + "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers" + ], + "related_integrations": [], + "risk_score": 47, + "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", + "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", + "severity": "medium", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "31295df3-277b-4c56-a1fb-84e31b4222a9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json deleted file mode 100644 index 4b54dea8f163..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json new file mode 100644 index 000000000000..111407f59467 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json new file mode 100644 index 000000000000..17441ee5a2b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json new file mode 100644 index 000000000000..0d968a714252 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json deleted file mode 100644 index 79394ed94f47..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", - "false_positives": [ - "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Topic Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "3202e172-01b1-4738-a932-d024c514ba72", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json new file mode 100644 index 000000000000..fff4d415f253 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", + "false_positives": [ + "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "3202e172-01b1-4738-a932-d024c514ba72_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json new file mode 100644 index 000000000000..74054fc25ea5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", + "false_positives": [ + "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "3202e172-01b1-4738-a932-d024c514ba72_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json deleted file mode 100644 index a83d82710cf4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", - "false_positives": [ - "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Network Watcher Deletion", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "323cb487-279d-4218-bcbd-a568efe930c6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json new file mode 100644 index 000000000000..c8b5c37991e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", + "false_positives": [ + "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Network Watcher Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "323cb487-279d-4218-bcbd-a568efe930c6_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json new file mode 100644 index 000000000000..8a68b369ab80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", + "false_positives": [ + "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Network Watcher Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "323cb487-279d-4218-bcbd-a568efe930c6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json deleted file mode 100644 index a3fd31effc93..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) to the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "32923416-763a-4531-bb35-f33b9232ecdb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json new file mode 100644 index 000000000000..8439c128e077 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "32923416-763a-4531-bb35-f33b9232ecdb_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json new file mode 100644 index 000000000000..2ada57b08b4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RPC (Remote Procedure Call) to the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "32923416-763a-4531-bb35-f33b9232ecdb_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json deleted file mode 100644 index 1a8a684b7e54..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Program Files Directory Masquerading", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.005", - "name": "Match Legitimate Name or Location", - "reference": "https://attack.mitre.org/techniques/T1036/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json new file mode 100644 index 000000000000..cc9daf663f7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json new file mode 100644 index 000000000000..a7e9f2390063 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json deleted file mode 100644 index 20eae2079e4c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious MS Outlook Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json new file mode 100644 index 000000000000..3b69ff52df3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json new file mode 100644 index 000000000000..2334347f079c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json deleted file mode 100644 index 7b5f5bf2e216..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", - "false_positives": [ - "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM User Addition to Group", - "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "333de828-8190-4cf5-8d7c-7575846f6fe0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json new file mode 100644 index 000000000000..b874c7e42146 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", + "false_positives": [ + "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM User Addition to Group", + "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Credential Access", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json new file mode 100644 index 000000000000..427a9993f099 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", + "false_positives": [ + "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM User Addition to Group", + "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json deleted file mode 100644 index c387907544bc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "ESXI Discovery via Find", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "33a6752b-da5e-45f8-b13a-5f094c09522f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json new file mode 100644 index 000000000000..07cbcd257099 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Find", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json new file mode 100644 index 000000000000..4718e2631835 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Find", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json deleted file mode 100644 index ac7ac14476bd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "33f306e8-417c-411b-965c-c2812d6d3f4d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json new file mode 100644 index 000000000000..19a806c6b19a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json new file mode 100644 index 000000000000..838631295688 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json new file mode 100644 index 000000000000..4b1877e1560d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json deleted file mode 100644 index 30165565cf32..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", - "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Accepted Default Telnet Port Connection", - "query": "event.dataset: network_traffic.flow and event.type: connection\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Lateral Movement", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", - "timeline_title": "Comprehensive Network Timeline", - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json new file mode 100644 index 000000000000..6110935b72f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Accepted Default Telnet Port Connection", + "query": "event.category:(network or network_traffic) and destination.port:23\n and network.direction:(inbound or ingress or outbound or egress)\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host", + "Lateral Movement", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", + "timeline_title": "Comprehensive Network Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "34fde489-94b0-4500-a76f-b8a157cf9269_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json new file mode 100644 index 000000000000..48dad282d275 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Accepted Default Telnet Port Connection", + "query": "event.dataset: network_traffic.flow and event.type: connection\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", + "timeline_title": "Comprehensive Network Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "34fde489-94b0-4500-a76f-b8a157cf9269_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json deleted file mode 100644 index 1fe124acf010..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution via Electron Child Process Node.js Module", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", - "references": [ - "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", - "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", - "https://nodejs.org/api/child_process.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json new file mode 100644 index 000000000000..6049160a2460 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution via Electron Child Process Node.js Module", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", + "references": [ + "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", + "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", + "https://nodejs.org/api/child_process.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json new file mode 100644 index 000000000000..472780974e0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution via Electron Child Process Node.js Module", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", + "references": [ + "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", + "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", + "https://nodejs.org/api/child_process.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json deleted file mode 100644 index 8589842d2eda..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Port Forwarding Rule Addition", - "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1572", - "name": "Protocol Tunneling", - "reference": "https://attack.mitre.org/techniques/T1572/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json new file mode 100644 index 000000000000..2014200b09e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json new file mode 100644 index 000000000000..30a71364d7d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json deleted file mode 100644 index 137487e61454..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", - "references": [ - "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", - "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.012", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json new file mode 100644 index 000000000000..f9c2c9281ba2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json new file mode 100644 index 000000000000..c378b9133226 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json new file mode 100644 index 000000000000..4edb3fa4cd2e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json deleted file mode 100644 index 29964e3062fd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", - "false_positives": [ - "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_destination_country", - "name": "Network Traffic to Rare Destination Country", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "35f86980-1fb1-4dff-b311-3be941549c8d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json new file mode 100644 index 000000000000..4eec87ffba66 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_destination_country", + "name": "Network Traffic to Rare Destination Country", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "35f86980-1fb1-4dff-b311-3be941549c8d_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json new file mode 100644 index 000000000000..cadb313651aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_destination_country", + "name": "Network Traffic to Rare Destination Country", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "35f86980-1fb1-4dff-b311-3be941549c8d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json deleted file mode 100644 index 9a6a982ce16f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", - "false_positives": [ - "False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Started from Process ID (PID) File", - "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", - "references": [ - "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3688577a-d196-11ec-90b0-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json new file mode 100644 index 000000000000..31a16e44e750 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Started from Process ID (PID) File", + "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "BPFDoor", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3688577a-d196-11ec-90b0-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json new file mode 100644 index 000000000000..ac78117bab0e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Started from Process ID (PID) File", + "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3688577a-d196-11ec-90b0-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json deleted file mode 100644 index b5c8f556f667..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious ImagePath Service Creation", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json new file mode 100644 index 000000000000..2a3e9b25208c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ImagePath Service Creation", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json new file mode 100644 index 000000000000..7fde31511618 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ImagePath Service Creation", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json deleted file mode 100644 index 60512251b2dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", - "false_positives": [ - "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Security Group Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.003", - "name": "Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1136/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json new file mode 100644 index 000000000000..f9e1ec49cd40 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", + "false_positives": [ + "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Security Group Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json new file mode 100644 index 000000000000..1cc21dad9c7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", + "false_positives": [ + "An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Security Group Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json deleted file mode 100644 index ba6bb979d9ef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Willem D'Haese" - ], - "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Active Directory High Risk Sign-in", - "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.signinlogs.properties.risk_level_aggregated", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.signinlogs.properties.risk_level_during_signin", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "37994bca-0611-4500-ab67-5588afe73b77", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json new file mode 100644 index 000000000000..70e5b7a5978b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory High Risk Sign-in", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_aggregated", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_during_signin", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "37994bca-0611-4500-ab67-5588afe73b77_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json new file mode 100644 index 000000000000..8f8396b726af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese" + ], + "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory High Risk Sign-in", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_aggregated", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_during_signin", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "37994bca-0611-4500-ab67-5588afe73b77_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json deleted file mode 100644 index 7caff5e3dcee..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Execution via System Manager", - "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json new file mode 100644 index 000000000000..9e74d6d4bc9b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Execution via System Manager", + "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Initial Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json new file mode 100644 index 000000000000..94c8158346d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Execution via System Manager", + "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json deleted file mode 100644 index b29e365de806..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", - "false_positives": [ - "Trusted Finder Sync Plugins" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Finder Sync Plugin Registered and Enabled", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", - "references": [ - "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "37f638ea-909d-4f94-9248-edd21e4a9906", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json new file mode 100644 index 000000000000..757d7af3337a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", + "false_positives": [ + "Trusted Finder Sync Plugins" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Finder Sync Plugin Registered and Enabled", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "37f638ea-909d-4f94-9248-edd21e4a9906_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json new file mode 100644 index 000000000000..f82a6a6c719c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", + "false_positives": [ + "Trusted Finder Sync Plugins" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Finder Sync Plugin Registered and Enabled", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "37f638ea-909d-4f94-9248-edd21e4a9906_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json deleted file mode 100644 index bb32a7a6a1d6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempted Bypass of Okta MFA", - "note": "", - "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1111", - "name": "Multi-Factor Authentication Interception", - "reference": "https://attack.mitre.org/techniques/T1111/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json new file mode 100644 index 000000000000..b64518d3c05b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempted Bypass of Okta MFA", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1111", + "name": "Multi-Factor Authentication Interception", + "reference": "https://attack.mitre.org/techniques/T1111/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json new file mode 100644 index 000000000000..ee503b1c601d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempted Bypass of Okta MFA", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1111", + "name": "Multi-Factor Authentication Interception", + "reference": "https://attack.mitre.org/techniques/T1111/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json deleted file mode 100644 index 8f097b6a2b66..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", - "https://frsecure.com/malware-incident-response-playbook/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json new file mode 100644 index 000000000000..854acfcb4c7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json new file mode 100644 index 000000000000..aa1743756dfc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json new file mode 100644 index 000000000000..1ae05fcb4a3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json deleted file mode 100644 index 3058e937210c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Prompt for Credentials with OSASCRIPT", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", - "references": [ - "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", - "https://ss64.com/osx/osascript.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1056", - "name": "Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/", - "subtechnique": [ - { - "id": "T1056.002", - "name": "GUI Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json new file mode 100644 index 000000000000..a91834d3a342 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Prompt for Credentials with OSASCRIPT", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", + "https://ss64.com/osx/osascript.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.002", + "name": "GUI Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json new file mode 100644 index 000000000000..2845bd85c3fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Prompt for Credentials with OSASCRIPT", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", + "https://ss64.com/osx/osascript.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.002", + "name": "GUI Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json deleted file mode 100644 index 4e837cc1a1cf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Added as Owner for Azure Service Principal", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json new file mode 100644 index 000000000000..30bbbb8312b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Service Principal", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json new file mode 100644 index 000000000000..b890b29a4f83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Service Principal", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json deleted file mode 100644 index ff168d72dff2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", - "false_positives": [ - "Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "eql", - "license": "Elastic License v2", - "name": "External User Added to Google Workspace Group", - "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", - "references": [ - "https://support.google.com/a/answer/33329" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.target.email", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.target.group.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json new file mode 100644 index 000000000000..ccd63a215a3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", + "false_positives": [ + "Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "External User Added to Google Workspace Group", + "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", + "references": [ + "https://support.google.com/a/answer/33329" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Initial Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json new file mode 100644 index 000000000000..97a5ef702285 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", + "false_positives": [ + "Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "External User Added to Google Workspace Group", + "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", + "references": [ + "https://support.google.com/a/answer/33329" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.email", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.target.group.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json deleted file mode 100644 index 1f3d59f3c760..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", - "false_positives": [ - "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Network Access Control List Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json new file mode 100644 index 000000000000..ca2ec1f2a9aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", + "false_positives": [ + "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json new file mode 100644 index 000000000000..4bfdcd6969d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", + "false_positives": [ + "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json deleted file mode 100644 index 9a8703dae190..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", - "false_positives": [ - "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Microsoft Outlook VBA", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", - "references": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1137", - "name": "Office Application Startup", - "reference": "https://attack.mitre.org/techniques/T1137/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json new file mode 100644 index 000000000000..2cb0b19a1f57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", + "false_positives": [ + "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Outlook VBA", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", + "references": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json new file mode 100644 index 000000000000..78c3478c5ca7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", + "false_positives": [ + "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Outlook VBA", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", + "references": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json deleted file mode 100644 index 132e69990656..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential DNS Tunneling via NsLookup", - "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", - "references": [ - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.004", - "name": "DNS", - "reference": "https://attack.mitre.org/techniques/T1071/004/" - } - ] - } - ] - } - ], - "threshold": { - "field": [ - "host.id" - ], - "value": 15 - }, - "type": "threshold", - "version": 105 - }, - "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json new file mode 100644 index 000000000000..c39516f00e0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via NsLookup", + "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", + "references": [ + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 15 + }, + "type": "threshold", + "version": 104 + }, + "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json new file mode 100644 index 000000000000..d55a8e1d13f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via NsLookup", + "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", + "references": [ + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 15 + }, + "type": "threshold", + "version": 105 + }, + "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json deleted file mode 100644 index 6109feac93da..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Module Loaded by LSASS", - "note": "", - "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", - "references": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-2/", - "https://github.com/jas502n/mimikat_ssp" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.hash.sha256", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json new file mode 100644 index 000000000000..bacfd46f6106 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Module Loaded by LSASS", + "note": "", + "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", + "references": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json new file mode 100644 index 000000000000..04520e62d25b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Module Loaded by LSASS", + "note": "", + "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", + "references": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json deleted file mode 100644 index 57772d9241fc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) to the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json new file mode 100644 index 000000000000..6c6143875f75 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json new file mode 100644 index 000000000000..1dd1a88d56cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) to the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json deleted file mode 100644 index d889c6b77631..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", - "false_positives": [ - "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Full Network Packet Capture Detected", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\n ) and\nevent.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1040", - "name": "Network Sniffing", - "reference": "https://attack.mitre.org/techniques/T1040/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json new file mode 100644 index 000000000000..e1e2d2d533b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Full Network Packet Capture Detected", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json new file mode 100644 index 000000000000..230b188d5595 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Full Network Packet Capture Detected", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json new file mode 100644 index 000000000000..7d6a5d412a76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Full Network Packet Capture Detected", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\n ) and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json deleted file mode 100644 index c0c78ef9adf1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Malware - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame" - ], - "type": "query", - "version": 101 - }, - "id": "3b382770-efbb-44f4-beed-f5e0a051b895", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json new file mode 100644 index 000000000000..8909182e86ee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Malware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 100 + }, + "id": "3b382770-efbb-44f4-beed-f5e0a051b895_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json new file mode 100644 index 000000000000..72840ba2b92e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Malware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame" + ], + "type": "query", + "version": 101 + }, + "id": "3b382770-efbb-44f4-beed-f5e0a051b895_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json deleted file mode 100644 index 1471747e7d25..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Parent Process for cmd.exe", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json new file mode 100644 index 000000000000..425c352b9c50 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json new file mode 100644 index 000000000000..0ee26cc8fc04 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json deleted file mode 100644 index 17dcea6a4681..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "NTDS or SAM Database File Copied", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", - "references": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json new file mode 100644 index 000000000000..847d119d4184 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "NTDS or SAM Database File Copied", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", + "references": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json new file mode 100644 index 000000000000..c5170ada8d8a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "NTDS or SAM Database File Copied", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", + "references": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json deleted file mode 100644 index e5f01d95b151..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_anomalous_network_port_activity" - ], - "name": "Unusual Linux Network Port Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json new file mode 100644 index 000000000000..f12cd0904d7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_port_activity" + ], + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json new file mode 100644 index 000000000000..ae1feb61858d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_port_activity" + ], + "name": "Unusual Linux Network Port Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json deleted file mode 100644 index cda8b299e665..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", - "false_positives": [ - "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Updated", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "3e002465-876f-4f04-b016-84ef48ce7e5d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json new file mode 100644 index 000000000000..86bdce9fd627 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", + "false_positives": [ + "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Updated", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json new file mode 100644 index 000000000000..f134f0586c68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", + "false_positives": [ + "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Updated", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json deleted file mode 100644 index eb992f178a90..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution via Windows Subsystem for Linux", - "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", - "references": [ - "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json new file mode 100644 index 000000000000..07eb2cd8c463 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json new file mode 100644 index 000000000000..0d6384fbd128 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json deleted file mode 100644 index 2091fbd426e9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Emond Child Process", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", - "references": [ - "https://www.xorrior.com/emond-persistence/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.014", - "name": "Emond", - "reference": "https://attack.mitre.org/techniques/T1546/014/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "3e3d15c6-1509-479a-b125-21718372157e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json new file mode 100644 index 000000000000..d1cc6bc90e85 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Emond Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "3e3d15c6-1509-479a-b125-21718372157e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json new file mode 100644 index 000000000000..9ef15f4d0997 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Emond Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "3e3d15c6-1509-479a-b125-21718372157e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json deleted file mode 100644 index 7a70b1535ff1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", - "references": [ - "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", - "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", - "https://redcanary.com/blog/getsystem-offsec/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json new file mode 100644 index 000000000000..14563bed5ca1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", + "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", + "https://redcanary.com/blog/getsystem-offsec/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json new file mode 100644 index 000000000000..2438fb594610 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", + "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", + "https://redcanary.com/blog/getsystem-offsec/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json new file mode 100644 index 000000000000..cb86acd183e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", + "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", + "https://redcanary.com/blog/getsystem-offsec/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json deleted file mode 100644 index 381b3b05a423..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Process Creation CallTrace", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetProcessGUID", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "eql", - "version": 107 - }, - "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json new file mode 100644 index 000000000000..057d3b33bffb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Creation CallTrace", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetProcessGUID", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json new file mode 100644 index 000000000000..264a532f2ed3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Creation CallTrace", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetProcessGUID", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_107.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_107.json new file mode 100644 index 000000000000..abbe45c6d6aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_107.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Creation CallTrace", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetProcessGUID", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json deleted file mode 100644 index 145e32e4d453..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Password Spraying of Microsoft 365 User Accounts", - "note": "", - "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "source.ip" - ], - "value": 25 - }, - "type": "threshold", - "version": 102 - }, - "id": "3efee4f0-182a-40a8-a835-102c68a4175d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json new file mode 100644 index 000000000000..4a6342ae82d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 101 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json new file mode 100644 index 000000000000..80b33db6d25d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 102 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json deleted file mode 100644 index 71cee4a2c9fd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.", - "false_positives": [ - "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-cyberarkpas.audit*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "CyberArk Privileged Access Security Error", - "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", - "query": "event.dataset:cyberarkpas.audit and event.type:error\n", - "references": [ - "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3" - ], - "related_integrations": [ - { - "package": "cyberarkpas", - "version": "^2.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", - "rule_name_override": "event.action", - "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json new file mode 100644 index 000000000000..acccee96f1fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-cyberarkpas.audit*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "CyberArk Privileged Access Security Error", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:cyberarkpas.audit and event.type:error\n", + "references": [ + "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3" + ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "^2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", + "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "cyberarkpas", + "SecOps", + "Log Auditing", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json new file mode 100644 index 000000000000..83cab64b4971 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-cyberarkpas.audit*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "CyberArk Privileged Access Security Error", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:cyberarkpas.audit and event.type:error\n", + "references": [ + "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3" + ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "^2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", + "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json deleted file mode 100644 index 805f89f3c435..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", - "false_positives": [ - "Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Binary Executed from Shared Memory Directory", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action : (\"exec\", \"exec_event\") and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", - "references": [ - "https://linuxsecurity.com/features/fileless-malware-on-linux", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json new file mode 100644 index 000000000000..436931f2f499 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", + "false_positives": [ + "Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Binary Executed from Shared Memory Directory", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action : (\"exec\", \"exec_event\") and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", + "references": [ + "https://linuxsecurity.com/features/fileless-malware-on-linux", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "BPFDoor", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json new file mode 100644 index 000000000000..20b55cf21f11 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", + "false_positives": [ + "Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Binary Executed from Shared Memory Directory", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action : (\"exec\", \"exec_event\") and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", + "references": [ + "https://linuxsecurity.com/features/fileless-malware-on-linux", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json deleted file mode 100644 index 34d560d4e4ee..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Persistence via Services Registry", - "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "403ef0d3-8259-40c9-a5b6-d48354712e49", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json new file mode 100644 index 000000000000..3394364c3b2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Persistence via Services Registry", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json new file mode 100644 index 000000000000..485c4d300cce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Persistence via Services Registry", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json deleted file mode 100644 index 6a8c1ff0ea1d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Modprobe File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\") or process.title : (\"*grep*\") or process.parent.pid == 1)\n", - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - }, - { - "ecs": true, - "name": "process.title", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "low", - "tags": [ - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json new file mode 100644 index 000000000000..3f1890c95523 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Modprobe File Event", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\") or process.title : (\"*grep*\") or process.parent.pid == 1)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.title", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "low", + "tags": [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json deleted file mode 100644 index e46ddcf7ec4c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Control Panel Process with Unusual Arguments", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", - "references": [ - "https://www.joesandbox.com/analysis/476188/1/html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.002", - "name": "Control Panel", - "reference": "https://attack.mitre.org/techniques/T1218/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "416697ae-e468-4093-a93d-59661fa619ec", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json new file mode 100644 index 000000000000..66a3874074b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Control Panel Process with Unusual Arguments", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", + "references": [ + "https://www.joesandbox.com/analysis/476188/1/html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.002", + "name": "Control Panel", + "reference": "https://attack.mitre.org/techniques/T1218/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "416697ae-e468-4093-a93d-59661fa619ec_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json new file mode 100644 index 000000000000..04b4e4e46750 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Control Panel Process with Unusual Arguments", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", + "references": [ + "https://www.joesandbox.com/analysis/476188/1/html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.002", + "name": "Control Panel", + "reference": "https://attack.mitre.org/techniques/T1218/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "416697ae-e468-4093-a93d-59661fa619ec_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json deleted file mode 100644 index b612a6da33fb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "EggShell Backdoor Execution", - "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", - "references": [ - "https://github.com/neoneggplant/EggShell" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json new file mode 100644 index 000000000000..0be338ea72f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "EggShell Backdoor Execution", + "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", + "references": [ + "https://github.com/neoneggplant/EggShell" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json new file mode 100644 index 000000000000..6d4874325775 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "EggShell Backdoor Execution", + "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", + "references": [ + "https://github.com/neoneggplant/EggShell" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json deleted file mode 100644 index b4ba37023f5d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Hidden Local User Account Creation", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", - "references": [ - "https://support.apple.com/en-us/HT203998" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json new file mode 100644 index 000000000000..83be5f1da6b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Hidden Local User Account Creation", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", + "references": [ + "https://support.apple.com/en-us/HT203998" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json new file mode 100644 index 000000000000..9cbb457fd92d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Hidden Local User Account Creation", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", + "references": [ + "https://support.apple.com/en-us/HT203998" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json deleted file mode 100644 index 5add25911e2d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Okta Brute Force or Password Spraying Attack", - "note": "", - "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "source.ip" - ], - "value": 25 - }, - "type": "threshold", - "version": 103 - }, - "id": "42bf698b-4738-445b-8231-c834ddefd8a0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json new file mode 100644 index 000000000000..3b6cdd7b41f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Brute Force or Password Spraying Attack", + "note": "", + "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 102 + }, + "id": "42bf698b-4738-445b-8231-c834ddefd8a0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json new file mode 100644 index 000000000000..d0ffe6ab704b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Brute Force or Password Spraying Attack", + "note": "", + "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "type": "threshold", + "version": 103 + }, + "id": "42bf698b-4738-445b-8231-c834ddefd8a0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json deleted file mode 100644 index 30027a46c151..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Creation via Secondary Logon", - "note": "", - "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", - "references": [ - "https://attack.mitre.org/techniques/T1134/002/" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.LogonProcessName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.002", - "name": "Create Process with Token", - "reference": "https://attack.mitre.org/techniques/T1134/002/" - }, - { - "id": "T1134.003", - "name": "Make and Impersonate Token", - "reference": "https://attack.mitre.org/techniques/T1134/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 - }, - "id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json new file mode 100644 index 000000000000..21b82ef885dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Creation via Secondary Logon", + "note": "", + "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where host.os.type == \"windows\" and event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where host.os.type == \"windows\" and event.type == \"start\"] by winlog.event_data.TargetLogonId\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "42eeee3d-947f-46d3-a14d-7036b962c266_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json new file mode 100644 index 000000000000..3bc6b8cdd3b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Creation via Secondary Logon", + "note": "", + "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "42eeee3d-947f-46d3-a14d-7036b962c266_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json new file mode 100644 index 000000000000..a9ed6f6905a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Creation via Secondary Logon", + "note": "", + "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "42eeee3d-947f-46d3-a14d-7036b962c266_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json deleted file mode 100644 index 215e8714d957..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies an unusually high number of authentication attempts.", - "false_positives": [ - "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "suspicious_login_activity", - "name": "Unusual Login Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json new file mode 100644 index 000000000000..aedb0ee93c13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "suspicious_login_activity", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json new file mode 100644 index 000000000000..ce7bf6ebfcce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies an unusually high number of authentication attempts.", + "false_positives": [ + "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "suspicious_login_activity", + "name": "Unusual Login Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json deleted file mode 100644 index a191c33846b0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux User Added to Privileged Group", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json new file mode 100644 index 000000000000..f7c19cdbf3b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux User Added to Privileged Group", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json deleted file mode 100644 index b0debc1d4745..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", - "references": [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json new file mode 100644 index 000000000000..07f139de3241 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Persistence by a Suspicious Process", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json new file mode 100644 index 000000000000..c435644c8fd0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Persistence by a Suspicious Process", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json new file mode 100644 index 000000000000..8602cf217f05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Persistence by a Suspicious Process", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json deleted file mode 100644 index e2b13ac857c9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", - "false_positives": [ - "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_path_activity" - ], - "name": "Unusual Windows Path Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "445a342e-03fb-42d0-8656-0367eb2dead5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json new file mode 100644 index 000000000000..afc03acd6aab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_path_activity" + ], + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "445a342e-03fb-42d0-8656-0367eb2dead5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json new file mode 100644 index 000000000000..3e4b94f7939a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", + "false_positives": [ + "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_path_activity" + ], + "name": "Unusual Windows Path Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "445a342e-03fb-42d0-8656-0367eb2dead5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json deleted file mode 100644 index 7faa69218c3a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Vault Web Credentials Read", - "note": "", - "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", - "references": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SchemaFriendlyName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.004", - "name": "Windows Credential Manager", - "reference": "https://attack.mitre.org/techniques/T1555/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 8 - }, - "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json new file mode 100644 index 000000000000..372176cf8e82 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Vault Web Credentials Read", + "note": "", + "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where host.os.type == \"windows\" and event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where host.os.type == \"windows\" and event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", + "references": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SchemaFriendlyName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json new file mode 100644 index 000000000000..80cec9111c98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Vault Web Credentials Read", + "note": "", + "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", + "references": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SchemaFriendlyName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json new file mode 100644 index 000000000000..ff00a48d9f00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Vault Web Credentials Read", + "note": "", + "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", + "references": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SchemaFriendlyName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json new file mode 100644 index 000000000000..05b3b70d02cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Vault Web Credentials Read", + "note": "", + "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", + "references": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SchemaFriendlyName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json deleted file mode 100644 index b99e2009bba1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Permission Theft - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json new file mode 100644 index 000000000000..6c9bc5615851 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "453f659e-0429-40b1-bfdb-b6957286e04b_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json new file mode 100644 index 000000000000..b664b55181ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "453f659e-0429-40b1-bfdb-b6957286e04b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json deleted file mode 100644 index 1cc821bb5dd0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Anabella Cristaldi" - ], - "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows Event Logs Cleared", - "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\"\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.api", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.001", - "name": "Clear Windows Event Logs", - "reference": "https://attack.mitre.org/techniques/T1070/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "45ac4800-840f-414c-b221-53dd36a5aaf7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json new file mode 100644 index 000000000000..e6bcaab7c3f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Event Logs Cleared", + "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and host.os.type:windows\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json new file mode 100644 index 000000000000..3d3a66556253 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Event Logs Cleared", + "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json new file mode 100644 index 000000000000..7daf2902ec29 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Event Logs Cleared", + "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json deleted file mode 100644 index 7d7591be0964..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Encrypting Files with WinRar or 7z", - "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", - "references": [ - "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1560", - "name": "Archive Collected Data", - "reference": "https://attack.mitre.org/techniques/T1560/", - "subtechnique": [ - { - "id": "T1560.001", - "name": "Archive via Utility", - "reference": "https://attack.mitre.org/techniques/T1560/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "45d273fb-1dca-457d-9855-bcb302180c21", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json new file mode 100644 index 000000000000..91e47ff753ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encrypting Files with WinRar or 7z", + "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", + "references": [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "45d273fb-1dca-457d-9855-bcb302180c21_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json new file mode 100644 index 000000000000..84fb91bb4cef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encrypting Files with WinRar or 7z", + "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", + "references": [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "45d273fb-1dca-457d-9855-bcb302180c21_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json deleted file mode 100644 index a222f803cdc1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Adding Hidden File Attribute via Attrib", - "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", - "timeline_title": "Comprehensive Process Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json new file mode 100644 index 000000000000..8d76834eea2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"attrib.exe\" and process.args : \"+h\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json new file mode 100644 index 000000000000..4f4dfd631715 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json new file mode 100644 index 000000000000..d387318324e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json new file mode 100644 index 000000000000..eed917228d44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json deleted file mode 100644 index aae686c17fbc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Local NTLM Relay via HTTP", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", - "references": [ - "https://github.com/med0x2e/NTLMRelay2Self", - "https://github.com/topotam/PetitPotam", - "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1212", - "name": "Exploitation for Credential Access", - "reference": "https://attack.mitre.org/techniques/T1212/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json new file mode 100644 index 000000000000..87dc1e16ea57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Local NTLM Relay via HTTP", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", + "references": [ + "https://github.com/med0x2e/NTLMRelay2Self", + "https://github.com/topotam/PetitPotam", + "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json new file mode 100644 index 000000000000..24f7ae7a5a67 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Local NTLM Relay via HTTP", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", + "references": [ + "https://github.com/med0x2e/NTLMRelay2Self", + "https://github.com/topotam/PetitPotam", + "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json deleted file mode 100644 index e5adf5659758..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_rare_process_by_host_linux" - ], - "name": "Unusual Process For a Linux Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.002", - "name": "Systemd Service", - "reference": "https://attack.mitre.org/techniques/T1543/002/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "46f804f5-b289-43d6-a881-9387cf594f75", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json new file mode 100644 index 000000000000..f0c170aa394a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_linux" + ], + "name": "Unusual Process For a Linux Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "46f804f5-b289-43d6-a881-9387cf594f75_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json new file mode 100644 index 000000000000..ae9a210db60d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_linux" + ], + "name": "Unusual Process For a Linux Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "46f804f5-b289-43d6-a881-9387cf594f75_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json deleted file mode 100644 index 7687e88a3fb6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, through the \"systemd-sysv-generator\" init.d files can be converted to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot time in order to gain persistence onto the system.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence Through init.d Detected", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", - "references": [ - "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json new file mode 100644 index 000000000000..eae437474fe0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, through the \"systemd-sysv-generator\" init.d files can be converted to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot time in order to gain persistence onto the system.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through init.d Detected", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json new file mode 100644 index 000000000000..31d658cfdce6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, through the \"systemd-sysv-generator\" init.d files can be converted to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot time in order to gain persistence onto the system.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through init.d Detected", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json deleted file mode 100644 index 346fc193b125..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", - "references": [ - "https://github.com/mpgn/BackupOperatorToDA", - "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.PrivilegeList", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.RelativeTargetName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 107 - }, - "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json new file mode 100644 index 000000000000..2052ae61bc58 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where host.os.type == \"windows\" and event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where host.os.type == \"windows\" and event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", + "references": [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json new file mode 100644 index 000000000000..4b336c35b08e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", + "references": [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json new file mode 100644 index 000000000000..044747a14b64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", + "references": [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json deleted file mode 100644 index 0756dc73dc19..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Apple Script Execution followed by Network Connection", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.002", - "name": "AppleScript", - "reference": "https://attack.mitre.org/techniques/T1059/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "47f76567-d58a-4fed-b32b-21f571e28910", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json new file mode 100644 index 000000000000..2bf2b292b3f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Script Execution followed by Network Connection", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Command and Control", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "47f76567-d58a-4fed-b32b-21f571e28910_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json new file mode 100644 index 000000000000..40fdee027035 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Script Execution followed by Network Connection", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "47f76567-d58a-4fed-b32b-21f571e28910_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json deleted file mode 100644 index 0ca090bf5233..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", - "false_positives": [ - "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json new file mode 100644 index 000000000000..6a1ffb96318a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", + "false_positives": [ + "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json new file mode 100644 index 000000000000..06a66e4d0fee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", + "false_positives": [ + "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json deleted file mode 100644 index c86862e7a148..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell", - "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json new file mode 100644 index 000000000000..d85e9048382b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell", + "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json deleted file mode 100644 index c02b8b4f499e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", - "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 - }, - "id": "48b6edfc-079d-4907-b43c-baffa243270d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json new file mode 100644 index 000000000000..1939cc79f8dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure from the same Source Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "48b6edfc-079d-4907-b43c-baffa243270d_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json new file mode 100644 index 000000000000..16943da7f68c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure from the same Source Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", + "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "48b6edfc-079d-4907-b43c-baffa243270d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json new file mode 100644 index 000000000000..78ba41e38cfa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure from the same Source Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", + "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "48b6edfc-079d-4907-b43c-baffa243270d_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json new file mode 100644 index 000000000000..bae29e145466 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure from the same Source Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", + "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "48b6edfc-079d-4907-b43c-baffa243270d_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json deleted file mode 100644 index cccb1b361e69..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unexpected Child Process of macOS Screensaver Engine", - "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", - "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", - "references": [ - "https://posts.specterops.io/saving-your-access-d562bf5bf90b", - "https://github.com/D00MFist/PersistentJXA" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.002", - "name": "Screensaver", - "reference": "https://attack.mitre.org/techniques/T1546/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json new file mode 100644 index 000000000000..d71ab475b469 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unexpected Child Process of macOS Screensaver Engine", + "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json new file mode 100644 index 000000000000..f1c42ca40646 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unexpected Child Process of macOS Screensaver Engine", + "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json deleted file mode 100644 index 20a6fa5b41f5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Periodic Tasks", - "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", - "references": [ - "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", - "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", - "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json new file mode 100644 index 000000000000..71e9cd35e5af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Periodic Tasks", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", + "references": [ + "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", + "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", + "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json new file mode 100644 index 000000000000..3039c1d345fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Periodic Tasks", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", + "references": [ + "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", + "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", + "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json deleted file mode 100644 index bd8f49af67e6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", - "false_positives": [ - "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." - ], - "from": "now-9m", - "index": [ - "logs-*", - "metrics-*", - "traces-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "query": "event.agent_id_status:*\n", - "required_fields": [ - { - "ecs": true, - "name": "event.agent_id_status", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "493834ca-f861-414c-8602-150d5505b777", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "host.id", - "value": 2 - } - ], - "field": [ - "agent.id" - ], - "value": 2 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 101 - }, - "id": "493834ca-f861-414c-8602-150d5505b777", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json new file mode 100644 index 000000000000..edea919006d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json @@ -0,0 +1,70 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "query": "event.agent_id_status:*\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "493834ca-f861-414c-8602-150d5505b777", + "severity": "high", + "tags": [ + "Elastic", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "host.id", + "value": 2 + } + ], + "field": [ + "agent.id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 100 + }, + "id": "493834ca-f861-414c-8602-150d5505b777_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json new file mode 100644 index 000000000000..46b7765d6ade --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", + "false_positives": [ + "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives." + ], + "from": "now-9m", + "index": [ + "logs-*", + "metrics-*", + "traces-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "query": "event.agent_id_status:*\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "493834ca-f861-414c-8602-150d5505b777", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "host.id", + "value": 2 + } + ], + "field": [ + "agent.id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 101 + }, + "id": "493834ca-f861-414c-8602-150d5505b777_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json deleted file mode 100644 index 58b8a8a87f7f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Linux Backdoor User Account Creation", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json new file mode 100644 index 000000000000..55ae1d3e3131 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Backdoor User Account Creation", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json deleted file mode 100644 index 8e156c4c9ee1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", - "false_positives": [ - "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Removed from Blocklist in Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.old_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json new file mode 100644 index 000000000000..ed3c73ea2c62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Removed from Blocklist in Google Workspace", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.old_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impair Defenses" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json new file mode 100644 index 000000000000..41be27ae950b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Removed from Blocklist in Google Workspace", + "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.old_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impair Defenses", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json new file mode 100644 index 000000000000..259d53c346df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Removed from Blocklist in Google Workspace", + "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.old_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0.json b/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0.json deleted file mode 100644 index d16d8febd35d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common and will potentially indicate malicious or suspicious behavior.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Process Injection via LD_PRELOAD Environment Variable", - "note": "## Setup\nBy default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. \n```\nKibana --\u003e\nFleet --\u003e\nAgent policies --\u003e\nAgent policy for which the option should be enabled --\u003e\nName of the Elastic Defend integration --\u003e \nShow advanced settings --\u003e\nlinux.advanced.capture_env_vars\n```\n`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. \nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.", - "query": "process where host.os.type == \"linux\" and \n event.action == \"exec\" and \n process.env_vars : (\"LD_PRELOAD=?*\", \"LD_LIBRARY_PATH=?*\") \n", - "references": [ - "https://www.getambassador.io/resources/code-injection-on-linux-and-macos" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.env_vars", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4973e46b-a663-41b8-a875-ced16dda2bb0", - "setup": "By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration.\n```\nKibana --\u003e\nFleet --\u003e\nAgent policies --\u003e\nAgent policy for which the option should be enabled --\u003e\nName of the Elastic Defend integration --\u003e \nShow advanced settings --\u003e\nlinux.advanced.capture_env_vars\n```\n`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "4973e46b-a663-41b8-a875-ced16dda2bb0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0_1.json b/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0_1.json new file mode 100644 index 000000000000..a1780d25cbb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4973e46b-a663-41b8-a875-ced16dda2bb0_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common and will potentially indicate malicious or suspicious behavior.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Process Injection via LD_PRELOAD Environment Variable", + "note": "## Setup\nBy default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. \n```\nKibana --\u003e\nFleet --\u003e\nAgent policies --\u003e\nAgent policy for which the option should be enabled --\u003e\nName of the Elastic Defend integration --\u003e \nShow advanced settings --\u003e\nlinux.advanced.capture_env_vars\n```\n`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. \nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.", + "query": "process where host.os.type == \"linux\" and \n event.action == \"exec\" and \n process.env_vars : (\"LD_PRELOAD=?*\", \"LD_LIBRARY_PATH=?*\") \n", + "references": [ + "https://www.getambassador.io/resources/code-injection-on-linux-and-macos" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.env_vars", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4973e46b-a663-41b8-a875-ced16dda2bb0", + "setup": "By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration.\n```\nKibana --\u003e\nFleet --\u003e\nAgent policies --\u003e\nAgent policy for which the option should be enabled --\u003e\nName of the Elastic Defend integration --\u003e \nShow advanced settings --\u003e\nlinux.advanced.capture_env_vars\n```\n`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "4973e46b-a663-41b8-a875-ced16dda2bb0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json deleted file mode 100644 index 981b8b4f316f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", - "false_positives": [ - "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Possible FIN7 DGA Command and Control Behavior", - "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", - "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ], - "related_integrations": [], - "risk_score": 73, - "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "4a4e23cf-78a2-449c-bac3-701924c269d3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json new file mode 100644 index 000000000000..a06a40b4879a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", + "false_positives": [ + "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Possible FIN7 DGA Command and Control Behavior", + "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", + "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json new file mode 100644 index 000000000000..ac8daf2c3d21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", + "false_positives": [ + "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Possible FIN7 DGA Command and Control Behavior", + "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", + "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5.json deleted file mode 100644 index db557705a9ca..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell via Suspicious Parent Process", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4b1a807a-4e7b-414e-8cea-24bf580f6fc5", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "4b1a807a-4e7b-414e-8cea-24bf580f6fc5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json new file mode 100644 index 000000000000..9b687688335d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Suspicious Parent Process", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4b1a807a-4e7b-414e-8cea-24bf580f6fc5", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json deleted file mode 100644 index 577853abc8b6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Disable Windows Firewall Rules via Netsh", - "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.004", - "name": "Disable or Modify System Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json new file mode 100644 index 000000000000..71296115f79a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Firewall Rules via Netsh", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json new file mode 100644 index 000000000000..73ece375def3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Firewall Rules via Netsh", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json deleted file mode 100644 index 4eb2ebb1065d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Process Execution Path - Alternate Data Stream", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.004", - "name": "NTFS File Attributes", - "reference": "https://attack.mitre.org/techniques/T1564/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json new file mode 100644 index 000000000000..691b61fc2f01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Execution Path - Alternate Data Stream", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json new file mode 100644 index 000000000000..9704521b5a1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Execution Path - Alternate Data Stream", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json deleted file mode 100644 index d6219dd7a760..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Share Enumeration Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1135", - "name": "Network Share Discovery", - "reference": "https://attack.mitre.org/techniques/T1135/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - }, - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 - }, - "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json new file mode 100644 index 000000000000..5bae37c459d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Share Enumeration Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json new file mode 100644 index 000000000000..bcf9d45cd6b2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Share Enumeration Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json deleted file mode 100644 index 62f5e354302f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kernel Load or Unload via Kexec Detected", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", - "references": [ - "https://www.crowdstrike.com/blog/venom-vulnerability-details/", - "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1601", - "name": "Modify System Image", - "reference": "https://attack.mitre.org/techniques/T1601/", - "subtechnique": [ - { - "id": "T1601.001", - "name": "Patch System Image", - "reference": "https://attack.mitre.org/techniques/T1601/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json new file mode 100644 index 000000000000..daff70b29e28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Load or Unload via Kexec Detected", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", + "references": [ + "https://www.crowdstrike.com/blog/venom-vulnerability-details/", + "https://www.makeuseof.com/what-is-venom-vulnerability/", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1601", + "name": "Modify System Image", + "reference": "https://attack.mitre.org/techniques/T1601/", + "subtechnique": [ + { + "id": "T1601.001", + "name": "Patch System Image", + "reference": "https://attack.mitre.org/techniques/T1601/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json deleted file mode 100644 index e8fc4e6a7e89..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Management Console Brute Force of Root User Identity", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "cloud.account.id" - ], - "value": 10 - }, - "type": "threshold", - "version": 103 - }, - "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json new file mode 100644 index 000000000000..2b5a26785b3c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Brute Force of Root User Identity", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "cloud.account.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 102 + }, + "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json new file mode 100644 index 000000000000..05ae2fa207d6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Brute Force of Root User Identity", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "cloud.account.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 103 + }, + "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json deleted file mode 100644 index d2bafe82b0d8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Disable Gatekeeper", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", - "references": [ - "https://support.apple.com/en-us/HT202491", - "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json new file mode 100644 index 000000000000..ed17c18db0c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Gatekeeper", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", + "references": [ + "https://support.apple.com/en-us/HT202491", + "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json new file mode 100644 index 000000000000..b713f099192a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Gatekeeper", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", + "references": [ + "https://support.apple.com/en-us/HT202491", + "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json deleted file mode 100644 index f6630f195f99..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Ivan Ninichuck", - "Austin Songer" - ], - "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Disable Windows Event and Security Logs Using Built-in Tools", - "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", - "references": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.001", - "name": "Clear Windows Event Logs", - "reference": "https://attack.mitre.org/techniques/T1070/001/" - } - ] - }, - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.006", - "name": "Indicator Blocking", - "reference": "https://attack.mitre.org/techniques/T1562/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json new file mode 100644 index 000000000000..df9c309d52de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Ivan Ninichuck", + "Austin Songer" + ], + "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Event and Security Logs Using Built-in Tools", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json new file mode 100644 index 000000000000..71f8df6c13ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Ivan Ninichuck", + "Austin Songer" + ], + "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Event and Security Logs Using Built-in Tools", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json deleted file mode 100644 index f8f4c55e217a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 - }, - "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json new file mode 100644 index 000000000000..2c1d692dc024 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure Followed by Logon Success", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json new file mode 100644 index 000000000000..4f75c496f4af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure Followed by Logon Success", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json new file mode 100644 index 000000000000..9c84813c7307 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure Followed by Logon Success", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json new file mode 100644 index 000000000000..28d82a13225d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure Followed by Logon Success", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json deleted file mode 100644 index a61d1e234a2f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Process Spawned from MOTD Detected", - "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", - "references": [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "4ec47004-b34a-42e6-8003-376a123ea447", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json new file mode 100644 index 000000000000..f766789a4cfa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Spawned from MOTD Detected", + "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "4ec47004-b34a-42e6-8003-376a123ea447_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json new file mode 100644 index 000000000000..377f3aeb3ce4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Spawned from MOTD Detected", + "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "4ec47004-b34a-42e6-8003-376a123ea447_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json deleted file mode 100644 index fc1f3e50fd5f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\" and\n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\",\n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")\n", - "references": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json new file mode 100644 index 000000000000..339c873f36bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\" and\n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\",\n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")\n", + "references": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json new file mode 100644 index 000000000000..89ba983b7911 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\" and\n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\",\n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")\n", + "references": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json deleted file mode 100644 index 8fd72e784c35..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Script Object Execution", - "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json new file mode 100644 index 000000000000..bd567a0b43e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Script Object Execution", + "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json new file mode 100644 index 000000000000..d86ff21fd0ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Script Object Execution", + "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json deleted file mode 100644 index 1cea13536473..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies unauthorized access attempts to Okta applications.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unauthorized Access to an Okta Application", - "note": "", - "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json new file mode 100644 index 000000000000..90a33b5bf2cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies unauthorized access attempts to Okta applications.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unauthorized Access to an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json new file mode 100644 index 000000000000..1af3751a1ae1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies unauthorized access attempts to Okta applications.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unauthorized Access to an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json deleted file mode 100644 index 3d560773ad85..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via TSClient Mountpoint", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json new file mode 100644 index 000000000000..ad00c0b87000 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via TSClient Mountpoint", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "4fe9d835-40e1-452d-8230-17c147cafad8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json new file mode 100644 index 000000000000..9c91bc8d62db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via TSClient Mountpoint", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "4fe9d835-40e1-452d-8230-17c147cafad8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json deleted file mode 100644 index 76cd974101c6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Registry Persistence via AppCert DLL", - "note": "", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.009", - "name": "AppCert DLLs", - "reference": "https://attack.mitre.org/techniques/T1546/009/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json new file mode 100644 index 000000000000..8f51fdf81075 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json new file mode 100644 index 000000000000..445fc557dcfd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json deleted file mode 100644 index 6419f9545992..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", - "false_positives": [ - "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.Enabled", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "514121ce-c7b6-474a-8237-68ff71672379", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json new file mode 100644 index 000000000000..a266f5f62c39 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Data Protection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json new file mode 100644 index 000000000000..c8415c5ce4d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json deleted file mode 100644 index 06da8b3124d8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", - "false_positives": [ - "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Sink Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", - "references": [ - "https://cloud.google.com/logging/docs/export" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "51859fa0-d86b-4214-bf48-ebb30ed91305", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json new file mode 100644 index 000000000000..36dd250fae44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", + "false_positives": [ + "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/export" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "51859fa0-d86b-4214-bf48-ebb30ed91305_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json new file mode 100644 index 000000000000..1d1a4139254c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", + "false_positives": [ + "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Sink Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/export" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "51859fa0-d86b-4214-bf48-ebb30ed91305_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json deleted file mode 100644 index f93de0769fed..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", - "references": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.003", - "name": "Distributed Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1021/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json new file mode 100644 index 000000000000..94c69f08f1b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with MMC", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json new file mode 100644 index 000000000000..edd839849941 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with MMC", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json deleted file mode 100644 index 53d623545e60..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Successful Linux RDP Brute Force Attack Detected", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", - "related_integrations": [ - { - "integration": "auditd", - "package": "auditd_manager", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "auditd.data.terminal", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "related.user", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json new file mode 100644 index 000000000000..e0fcbb34d320 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux RDP Brute Force Attack Detected", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json deleted file mode 100644 index 9637b2904cfc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", - "false_positives": [ - "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS GuardDuty Detector Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", - "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json new file mode 100644 index 000000000000..c7e157b8750a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", + "false_positives": [ + "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS GuardDuty Detector Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json new file mode 100644 index 000000000000..5cd2f3cbd630 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", + "false_positives": [ + "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS GuardDuty Detector Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json deleted file mode 100644 index 98316b328339..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", - "references": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "52376a86-ee86-4967-97ae-1a05f55816f0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json new file mode 100644 index 000000000000..d5aef0c93eb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n )\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "GTFOBins", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json new file mode 100644 index 000000000000..8d48f5cd68d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\"))\n )\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "GTFOBins", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json new file mode 100644 index 000000000000..9bf5128a93ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\"))\n )\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json new file mode 100644 index 000000000000..6f36a8350c1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json deleted file mode 100644 index 7dce036206aa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Network Connection via RunDLL32", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", - "https://redcanary.com/threat-detection-report/techniques/rundll32/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json new file mode 100644 index 000000000000..23f93adc940f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://redcanary.com/threat-detection-report/techniques/rundll32/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json new file mode 100644 index 000000000000..51b9b8409afb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://redcanary.com/threat-detection-report/techniques/rundll32/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json deleted file mode 100644 index 6e38a2c5282f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_anomalous_network_activity" - ], - "name": "Unusual Linux Network Activity", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "52afbdc5-db15-485e-bc24-f5707f820c4b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json new file mode 100644 index 000000000000..e16e995dd250 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_activity" + ], + "name": "Unusual Linux Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json new file mode 100644 index 000000000000..e1d79793c81d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_network_activity" + ], + "name": "Unusual Linux Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json deleted file mode 100644 index c59dace073fd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious CronTab Creation or Modification", - "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", - "references": [ - "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", - "https://theevilbit.github.io/beyond/beyond_0004/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "530178da-92ea-43ce-94c2-8877a826783d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json new file mode 100644 index 000000000000..9c5cb8221140 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CronTab Creation or Modification", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", + "references": [ + "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", + "https://theevilbit.github.io/beyond/beyond_0004/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "530178da-92ea-43ce-94c2-8877a826783d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json new file mode 100644 index 000000000000..403db9ab7b56 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CronTab Creation or Modification", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", + "references": [ + "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", + "https://theevilbit.github.io/beyond/beyond_0004/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "530178da-92ea-43ce-94c2-8877a826783d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json deleted file mode 100644 index 741d68b2a00b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", - "from": "now-59m", - "history_window_start": "now-2d", - "index": [ - "auditbeat-*", - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "new_terms_fields": [ - "destination.ip", - "process.executable" - ], - "query": "host.os.type:linux and event.category:network and \nevent.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable : ( \n (/etc/crontab or \n /etc/rc.local or \n /boot/* or \n /dev/shm/* or \n /etc/cron.*/* or \n /etc/init.d/* or \n /etc/rc*.d/* or \n /etc/update-motd.d/* or \n /home/*/.* or \n /run/* or \n /srv/* or \n /tmp/* or \n /usr/lib/update-notifier/* or \n /var/tmp/*) and \n not (/usr/bin/apt or \n /usr/bin/curl or \n /usr/bin/dnf or \n /usr/bin/dockerd or \n /usr/bin/dpkg or \n /usr/bin/rpm or \n /usr/bin/wget or \n /usr/bin/yum) \n ) \nand source.ip : ( \n 10.0.0.0/8 or \n 127.0.0.0/8 or \n 172.16.0.0/12 or \n 192.168.0.0/16) and \n not destination.ip : ( \n 10.0.0.0/8 or \n 100.64.0.0/10 or \n 127.0.0.0/8 or \n 169.254.0.0/16 or \n 172.16.0.0/12 or \n 192.0.0.0/24 or \n 192.0.0.0/29 or \n 192.0.0.10/32 or \n 192.0.0.170/32 or \n 192.0.0.171/32 or \n 192.0.0.8/32 or \n 192.0.0.9/32 or \n 192.0.2.0/24 or \n 192.168.0.0/16 or \n 192.175.48.0/24 or \n 192.31.196.0/24 or \n 192.52.193.0/24 or \n 192.88.99.0/24 or \n 198.18.0.0/15 or \n 198.51.100.0/24 or \n 203.0.113.0/24 or \n 224.0.0.0/4 or \n 240.0.0.0/4 or \n \"::1\" or \n \"FE80::/10\" or \n \"FF00::/8\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 21, - "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json new file mode 100644 index 000000000000..43456c728fd2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", + "from": "now-59m", + "history_window_start": "now-2d", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", + "new_terms_fields": [ + "destination.ip", + "process.executable" + ], + "query": "host.os.type:linux and event.category:network and \nevent.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable : ( \n (/etc/crontab or \n /etc/rc.local or \n /boot/* or \n /dev/shm/* or \n /etc/cron.*/* or \n /etc/init.d/* or \n /etc/rc*.d/* or \n /etc/update-motd.d/* or \n /home/*/.* or \n /run/* or \n /srv/* or \n /tmp/* or \n /usr/lib/update-notifier/* or \n /var/tmp/*) and \n not (/usr/bin/apt or \n /usr/bin/curl or \n /usr/bin/dnf or \n /usr/bin/dockerd or \n /usr/bin/dpkg or \n /usr/bin/rpm or \n /usr/bin/wget or \n /usr/bin/yum) \n ) \nand source.ip : ( \n 10.0.0.0/8 or \n 127.0.0.0/8 or \n 172.16.0.0/12 or \n 192.168.0.0/16) and \n not destination.ip : ( \n 10.0.0.0/8 or \n 100.64.0.0/10 or \n 127.0.0.0/8 or \n 169.254.0.0/16 or \n 172.16.0.0/12 or \n 192.0.0.0/24 or \n 192.0.0.0/29 or \n 192.0.0.10/32 or \n 192.0.0.170/32 or \n 192.0.0.171/32 or \n 192.0.0.8/32 or \n 192.0.0.9/32 or \n 192.0.2.0/24 or \n 192.168.0.0/16 or \n 192.175.48.0/24 or \n 192.31.196.0/24 or \n 192.52.193.0/24 or \n 192.88.99.0/24 or \n 198.18.0.0/15 or \n 198.51.100.0/24 or \n 203.0.113.0/24 or \n 224.0.0.0/4 or \n 240.0.0.0/4 or \n \"::1\" or \n \"FE80::/10\" or \n \"FF00::/8\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json deleted file mode 100644 index 90f11972933a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", - "false_positives": [ - "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EFS File System or Mount Deleted", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json new file mode 100644 index 000000000000..4c02ec5505d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", + "false_positives": [ + "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EFS File System or Mount Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json new file mode 100644 index 000000000000..13096e29e8fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", + "false_positives": [ + "File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EFS File System or Mount Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json deleted file mode 100644 index 0f8d96f9cdb7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", - "false_positives": [ - "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Diagnostic Settings Deletion", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json new file mode 100644 index 000000000000..54864a11d7fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", + "false_positives": [ + "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Diagnostic Settings Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json new file mode 100644 index 000000000000..a65df01f08c3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", + "false_positives": [ + "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Diagnostic Settings Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json deleted file mode 100644 index 038bdab96b79..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious PDF Reader Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json new file mode 100644 index 000000000000..665e2c2ce09d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PDF Reader Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json new file mode 100644 index 000000000000..b6c0ba99b646 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PDF Reader Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json deleted file mode 100644 index 612f85bacf93..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Uncommon Registry Persistence Change", - "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", - "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - } - ] - } - ], - "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", - "timeline_title": "Comprehensive Registry Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "54902e45-3467-49a4-8abc-529f2c8cfb80", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json new file mode 100644 index 000000000000..09a1121f7776 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Uncommon Registry Persistence Change", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "references": [ + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json new file mode 100644 index 000000000000..47ceec757f9b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Uncommon Registry Persistence Change", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "references": [ + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json deleted file mode 100644 index 5460fbd7f727..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", - "false_positives": [ - "Legitimate exchange system administration activity." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Exchange Mailbox Export via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", - "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.001", - "name": "Local Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/001/" - }, - { - "id": "T1114.002", - "name": "Remote Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "54a81f68-5f2a-421e-8eed-f888278bb712", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json new file mode 100644 index 000000000000..ff0624c4416c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Exchange Mailbox Export via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "54a81f68-5f2a-421e-8eed-f888278bb712_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json new file mode 100644 index 000000000000..b10567592734 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Exchange Mailbox Export via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "54a81f68-5f2a-421e-8eed-f888278bb712_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json deleted file mode 100644 index a53e0303ee48..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", - "false_positives": [ - "Authorized third party network logon providers." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Logon Provider Registry Modification", - "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", - "references": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json new file mode 100644 index 000000000000..1263e52c2674 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", + "false_positives": [ + "Authorized third party network logon providers." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Logon Provider Registry Modification", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", + "references": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json new file mode 100644 index 000000000000..a0c8319ec956 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", + "false_positives": [ + "Authorized third party network logon providers." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Logon Provider Registry Modification", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", + "references": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json deleted file mode 100644 index 0c72d28fbc5c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows Service Installed via an Unusual Client", - "note": "", - "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", - "references": [ - "https://www.x86matthew.com/view_post?id=create_svc_rpc", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ClientProcessId", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ParentProcessId", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json new file mode 100644 index 000000000000..87d8ba708e51 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Service Installed via an Unusual Client", + "note": "", + "query": "event.action:\"service-installed\" and host.os.type:windows and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", + "references": [ + "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ParentProcessId", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json new file mode 100644 index 000000000000..6499139e8f78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Service Installed via an Unusual Client", + "note": "", + "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", + "references": [ + "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ParentProcessId", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json new file mode 100644 index 000000000000..b7affe27f04e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Service Installed via an Unusual Client", + "note": "", + "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", + "references": [ + "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ParentProcessId", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json deleted file mode 100644 index b3ea8fac929a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", - "false_positives": [ - "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "PsExec Network Connection", - "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [] - } - ], - "type": "eql", - "version": 105 - }, - "id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json new file mode 100644 index 000000000000..8b71c8d1d03d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PsExec Network Connection", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 104 + }, + "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json new file mode 100644 index 000000000000..4f10f280810f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PsExec Network Connection", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 105 + }, + "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json deleted file mode 100644 index 05920a87aef3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "message", - "type": "match_only_text" - } - ], - "risk_score": 21, - "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.002", - "name": "Code Signing", - "reference": "https://attack.mitre.org/techniques/T1553/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json new file mode 100644 index 000000000000..71af2f5fd0ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.002", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1553/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json new file mode 100644 index 000000000000..cf7dcb14625d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.002", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1553/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json deleted file mode 100644 index 4c09eb5a4792..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Admin Group Account Addition", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", - "references": [ - "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "565c2b44-7a21-4818-955f-8d4737967d2e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json new file mode 100644 index 000000000000..7077ac200bcb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Admin Group Account Addition", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", + "references": [ + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "565c2b44-7a21-4818-955f-8d4737967d2e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json new file mode 100644 index 000000000000..3b1deb6d481f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Admin Group Account Addition", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", + "references": [ + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "565c2b44-7a21-4818-955f-8d4737967d2e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json deleted file mode 100644 index 53217f1f8d63..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Dumping of Keychain Content via Security Command", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", - "references": [ - "https://ss64.com/osx/security.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json new file mode 100644 index 000000000000..c0376f3abfdd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dumping of Keychain Content via Security Command", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", + "references": [ + "https://ss64.com/osx/security.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "565d6ca5-75ba-4c82-9b13-add25353471c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json new file mode 100644 index 000000000000..b9905266d50b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dumping of Keychain Content via Security Command", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", + "references": [ + "https://ss64.com/osx/security.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "565d6ca5-75ba-4c82-9b13-add25353471c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json deleted file mode 100644 index 10f48494e424..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", - "false_positives": [ - "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Logging Bucket Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", - "references": [ - "https://cloud.google.com/logging/docs/buckets", - "https://cloud.google.com/logging/docs/storage" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json new file mode 100644 index 000000000000..e18da20ae0f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", + "false_positives": [ + "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Bucket Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/buckets", + "https://cloud.google.com/logging/docs/storage" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json new file mode 100644 index 000000000000..abc96782c642 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", + "false_positives": [ + "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Logging Bucket Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", + "references": [ + "https://cloud.google.com/logging/docs/buckets", + "https://cloud.google.com/logging/docs/storage" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json deleted file mode 100644 index 1fe57342fb1e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", - "false_positives": [ - "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - }, - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json new file mode 100644 index 000000000000..4bc5b4a6be27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell PSReflect Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json new file mode 100644 index 000000000000..a37cd2036d5b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell PSReflect Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json new file mode 100644 index 000000000000..034f8a3986e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell PSReflect Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json deleted file mode 100644 index 2de2e00ecfb3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "VNC (Virtual Network Computing) from the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json new file mode 100644 index 000000000000..b630f94f7e7c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json new file mode 100644 index 000000000000..6a6d8f4a84a8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "VNC (Virtual Network Computing) from the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json deleted file mode 100644 index 6d333aedaaea..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Dumping - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json new file mode 100644 index 000000000000..1824185a1c6a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json new file mode 100644 index 000000000000..a9f7402316c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json deleted file mode 100644 index 17e49572532b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", - "false_positives": [ - "Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Virtual Network Device Modified or Deleted", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json new file mode 100644 index 000000000000..5c8fac6ee42d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", + "false_positives": [ + "Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Virtual Network Device Modified or Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json new file mode 100644 index 000000000000..5be784b35c44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", + "false_positives": [ + "Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Virtual Network Device Modified or Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json deleted file mode 100644 index 48fb5f95bfdb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", - "false_positives": [ - "PowerShell scripts that use this capability for troubleshooting." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell MiniDump Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", - "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "577ec21e-56fe-4065-91d8-45eb8224fe77", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json new file mode 100644 index 000000000000..e0e5c4b417b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", + "false_positives": [ + "PowerShell scripts that use this capability for troubleshooting." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell MiniDump Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json new file mode 100644 index 000000000000..c03c2c5a9464 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", + "false_positives": [ + "PowerShell scripts that use this capability for troubleshooting." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell MiniDump Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json deleted file mode 100644 index c521251d5283..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Deleting Backup Catalogs with Wbadmin", - "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "581add16-df76-42bb-af8e-c979bfb39a59", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json new file mode 100644 index 000000000000..1e52ffeb888c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Deleting Backup Catalogs with Wbadmin", + "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "581add16-df76-42bb-af8e-c979bfb39a59_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json new file mode 100644 index 000000000000..4ac119fac52a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Deleting Backup Catalogs with Wbadmin", + "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "581add16-df76-42bb-af8e-c979bfb39a59_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json deleted file mode 100644 index 069cd1eaae8d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "RDP Enabled via Registry", - "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.001", - "name": "Remote Desktop Protocol", - "reference": "https://attack.mitre.org/techniques/T1021/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json new file mode 100644 index 000000000000..ea2196a62f1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json new file mode 100644 index 000000000000..47605ffe9e09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json new file mode 100644 index 000000000000..3d49bb7930de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json deleted file mode 100644 index a1ff0171a296..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", - "index": [ - "filebeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Zoom Meeting with no Passcode", - "note": "", - "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", - "references": [ - "https://blog.zoom.us/a-message-to-our-users/", - "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "zoom.meeting.password", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", - "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Zoom", - "Use Case: Configuration Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json new file mode 100644 index 000000000000..781a6c2ffeb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Zoom Meeting with no Passcode", + "note": "", + "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", + "references": [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "zoom.meeting.password", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Application", + "Communication", + "Zoom", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json new file mode 100644 index 000000000000..84ffd037dfe7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Zoom Meeting with no Passcode", + "note": "", + "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", + "references": [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "zoom.meeting.password", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Zoom", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json deleted file mode 100644 index f817812b9edc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Lateral Tool Transfer via SMB Share", - "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - }, - { - "id": "T1570", - "name": "Lateral Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1570/" - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json new file mode 100644 index 000000000000..344f9b6b0a77 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Lateral Tool Transfer via SMB Share", + "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + }, + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json new file mode 100644 index 000000000000..1a276c22a708 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Lateral Tool Transfer via SMB Share", + "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + }, + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json deleted file mode 100644 index 8a64e00bbbbb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", - "references": [ - "https://github.com/klinix5/InstallerFileTakeOver" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.IntegrityLevel", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json new file mode 100644 index 000000000000..6caf8f142281 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via InstallerFileTakeOver", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", + "references": [ + "https://github.com/klinix5/InstallerFileTakeOver" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json new file mode 100644 index 000000000000..70a7f8158532 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via InstallerFileTakeOver", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", + "references": [ + "https://github.com/klinix5/InstallerFileTakeOver" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json new file mode 100644 index 000000000000..9ad723fe8338 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via InstallerFileTakeOver", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", + "references": [ + "https://github.com/klinix5/InstallerFileTakeOver" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json deleted file mode 100644 index 9b1bb4b0ca68..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", - "false_positives": [ - "Legitimate files reported by the users" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "O365 Email Reported by User as Malware or Phish", - "note": "", - "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", - "references": [ - "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us\u0026rs=en-us\u0026ad=us" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "rule.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "5930658c-2107-4afc-91af-e0e55b7f7184", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json new file mode 100644 index 000000000000..65b9f15c492a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us\u0026rs=en-us\u0026ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json new file mode 100644 index 000000000000..61acf69c7182 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us\u0026rs=en-us\u0026ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json deleted file mode 100644 index 9aa045011ac8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", - "false_positives": [ - "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Created", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json new file mode 100644 index 000000000000..8d2807b66f05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", + "false_positives": [ + "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json new file mode 100644 index 000000000000..1f1a5b31c3c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", + "false_positives": [ + "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json deleted file mode 100644 index 14924b700c1b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_system_user_discovery" - ], - "name": "Unusual Linux User Discovery Activity", - "risk_score": 21, - "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "59756272-1998-4b8c-be14-e287035c4d10", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json new file mode 100644 index 000000000000..3aa81ca90bb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_user_discovery" + ], + "name": "Unusual Linux System Owner or User Discovery Activity", + "risk_score": 21, + "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "59756272-1998-4b8c-be14-e287035c4d10_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json new file mode 100644 index 000000000000..cafa4207ca2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_user_discovery" + ], + "name": "Unusual Linux User Discovery Activity", + "risk_score": 21, + "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "59756272-1998-4b8c-be14-e287035c4d10_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json new file mode 100644 index 000000000000..fd79691d6cb5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_user_discovery" + ], + "name": "Unusual Linux User Discovery Activity", + "risk_score": 21, + "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "59756272-1998-4b8c-be14-e287035c4d10_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json deleted file mode 100644 index 3b05eeb680dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", - "references": [ - "https://github.com/hfiref0x/UACME", - "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json new file mode 100644 index 000000000000..4994d7460bc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", + "references": [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json new file mode 100644 index 000000000000..4c384f7c1a75 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", + "references": [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json deleted file mode 100644 index 920dd09af861..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell via Java", - "query": "sequence by host.id with maxspan=5s\n[ network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.executable : \"*sh\" ] by process.parent.entity_id\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "5a3d5447-31c9-409a-aed1-72f9921594fd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json new file mode 100644 index 000000000000..39a35e87d2e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Java", + "query": "sequence by host.id with maxspan=5s\n[ network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.executable : \"*sh\" ] by process.parent.entity_id\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json deleted file mode 100644 index 0d5694653c05..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects use of the systemsetup command to enable remote SSH Login.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Remote SSH Login Enabled via systemsetup Command", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", - "references": [ - "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", - "https://ss64.com/osx/systemsetup.html", - "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json new file mode 100644 index 000000000000..8c1b7dfd2b96 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects use of the systemsetup command to enable remote SSH Login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote SSH Login Enabled via systemsetup Command", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", + "references": [ + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json new file mode 100644 index 000000000000..495bb45310a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects use of the systemsetup command to enable remote SSH Login.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote SSH Login Enabled via systemsetup Command", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", + "references": [ + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json deleted file mode 100644 index 25f12e5b3a2e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Secure File Deletion via SDelete Utility", - "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", - "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json new file mode 100644 index 000000000000..3da5e5cb7776 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secure File Deletion via SDelete Utility", + "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", + "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json new file mode 100644 index 000000000000..7c6130279cb2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secure File Deletion via SDelete Utility", + "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", + "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json deleted file mode 100644 index a952427efe3b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", - "false_positives": [ - "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Virtual Machine Fingerprinting", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json new file mode 100644 index 000000000000..1fab64dc7f27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json new file mode 100644 index 000000000000..3369bc3705a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json deleted file mode 100644 index 4a76cece7fef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious PrintSpooler Service Executable File Creation", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", - "references": [ - "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", - "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json new file mode 100644 index 000000000000..bcb7415227c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler Service Executable File Creation", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", + "references": [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json new file mode 100644 index 000000000000..0f9a14b6c47f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler Service Executable File Creation", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", + "references": [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json deleted file mode 100644 index bfa94ebfb61a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", - "false_positives": [ - "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS WAF Rule or Rule Group Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", - "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json new file mode 100644 index 000000000000..00bda565a46a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", + "false_positives": [ + "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Rule or Rule Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json new file mode 100644 index 000000000000..2b29e680192f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", + "false_positives": [ + "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Rule or Rule Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json deleted file mode 100644 index f1de4540ff6c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", - "from": "now-9m", - "history_window_start": "now-15d", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "FirstTime Seen Account Performing DCSync", - "new_terms_fields": [ - "winlog.event_data.SubjectUserName" - ], - "note": "", - "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", - "references": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", - "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", - "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.006", - "name": "DCSync", - "reference": "https://attack.mitre.org/techniques/T1003/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 4 - }, - "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json new file mode 100644 index 000000000000..a4107a042d0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FirstTime Seen Account Performing DCSync", + "new_terms_fields": [ + "winlog.event_data.SubjectUserName" + ], + "note": "", + "query": "event.action:\"Directory Service Access\" and host.os.type:windows and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json new file mode 100644 index 000000000000..670b6904257f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FirstTime Seen Account Performing DCSync", + "new_terms_fields": [ + "winlog.event_data.SubjectUserName" + ], + "note": "", + "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json new file mode 100644 index 000000000000..2a329d3d91a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FirstTime Seen Account Performing DCSync", + "new_terms_fields": [ + "winlog.event_data.SubjectUserName" + ], + "note": "", + "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json deleted file mode 100644 index bedda8f0edcd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_system_process_discovery" - ], - "name": "Unusual Linux Process Discovery Activity", - "risk_score": 21, - "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "5c983105-4681-46c3-9890-0c66d05e776b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json new file mode 100644 index 000000000000..e49ed32ce6ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_process_discovery" + ], + "name": "Unusual Linux Process Discovery Activity", + "risk_score": 21, + "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "5c983105-4681-46c3-9890-0c66d05e776b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json new file mode 100644 index 000000000000..ff5a3d59b910 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_process_discovery" + ], + "name": "Unusual Linux Process Discovery Activity", + "risk_score": 21, + "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "5c983105-4681-46c3-9890-0c66d05e776b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json deleted file mode 100644 index 141c61228d27..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Defense Evasion via PRoot", - "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", - "references": [ - "https://proot-me.github.io/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1211", - "name": "Exploitation for Defense Evasion", - "reference": "https://attack.mitre.org/techniques/T1211/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json new file mode 100644 index 000000000000..4f98d6e191e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Defense Evasion via PRoot", + "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", + "references": [ + "https://proot-me.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json new file mode 100644 index 000000000000..6fd6601f6147 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Defense Evasion via PRoot", + "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", + "references": [ + "https://proot-me.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json deleted file mode 100644 index 681c390ac07c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Outbound Scheduled Task Activity via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json new file mode 100644 index 000000000000..dc7a603ab8b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Outbound Scheduled Task Activity via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json new file mode 100644 index 000000000000..93afdcf5eacc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Outbound Scheduled Task Activity via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json deleted file mode 100644 index efed5ab89070..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Skoetting" - ], - "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "group.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.api", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json new file mode 100644 index 000000000000..4d5a1a0f6731 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "iam where host.os.type == \"windows\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json new file mode 100644 index 000000000000..30873ad39c10 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json new file mode 100644 index 000000000000..87c5669f3f06 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json deleted file mode 100644 index b35037b8e7cb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via PowerShell profile", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", - "references": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.013", - "name": "PowerShell Profile", - "reference": "https://attack.mitre.org/techniques/T1546/013/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json new file mode 100644 index 000000000000..0ad2e318388a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via PowerShell profile", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json new file mode 100644 index 000000000000..db58d6b57386 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via PowerShell profile", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json deleted file mode 100644 index 888634cf5adb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Login or Logout Hook", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", - "references": [ - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", - "https://www.manpagez.com/man/1/defaults/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json new file mode 100644 index 000000000000..e72753c8eb32 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Login or Logout Hook", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", + "references": [ + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", + "https://www.manpagez.com/man/1/defaults/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json new file mode 100644 index 000000000000..5d7238aa1344 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Login or Logout Hook", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", + "references": [ + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", + "https://www.manpagez.com/man/1/defaults/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json deleted file mode 100644 index 2926b9b0cf81..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", - "false_positives": [ - "Legitimate scheduled tasks running third party software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution via Scheduled Task", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json new file mode 100644 index 000000000000..9aa6f4af9f4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", + "false_positives": [ + "Legitimate scheduled tasks running third party software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Scheduled Task", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json new file mode 100644 index 000000000000..1c618a3e54ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", + "false_positives": [ + "Legitimate scheduled tasks running third party software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Scheduled Task", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json deleted file mode 100644 index 970b16e2d5e9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Automator Workflows Execution", - "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", - "references": [ - "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json new file mode 100644 index 000000000000..ef56b2b8d56b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Automator Workflows Execution", + "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json new file mode 100644 index 000000000000..55ebf56746d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Automator Workflows Execution", + "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json deleted file mode 100644 index b865c50a86a9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", - "false_positives": [ - "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace 2SV Policy Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "5e161522-2545-11ed-ac47-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json new file mode 100644 index 000000000000..9bf1b41d9dc7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", + "false_positives": [ + "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace 2SV Policy Disabled", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"2sv_disable\"\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "5e161522-2545-11ed-ac47-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json new file mode 100644 index 000000000000..91a3e9f487fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", + "false_positives": [ + "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace 2SV Policy Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "5e161522-2545-11ed-ac47-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json new file mode 100644 index 000000000000..6da188c311e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", + "false_positives": [ + "Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace 2SV Policy Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "5e161522-2545-11ed-ac47-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json deleted file mode 100644 index 86cf155c2499..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", - "false_positives": [ - "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams Guest Access Enabled", - "note": "", - "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.AllowGuestUser", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "5e552599-ddec-4e14-bad1-28aa42404388", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json new file mode 100644 index 000000000000..98b8e2ba8f2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json new file mode 100644 index 000000000000..94d39af72c5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json deleted file mode 100644 index 7c725ad2939d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", - "false_positives": [ - "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Command Execution on Virtual Machine", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", - "references": [ - "https://adsecurity.org/?p=4277", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "60884af6-f553-4a6c-af13-300047455491", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "60884af6-f553-4a6c-af13-300047455491", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json new file mode 100644 index 000000000000..4c6ee3b41b5a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", + "false_positives": [ + "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Command Execution on Virtual Machine", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", + "references": [ + "https://adsecurity.org/?p=4277", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60884af6-f553-4a6c-af13-300047455491", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "60884af6-f553-4a6c-af13-300047455491_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json new file mode 100644 index 000000000000..8af9cfeef7c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", + "false_positives": [ + "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Command Execution on Virtual Machine", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", + "references": [ + "https://adsecurity.org/?p=4277", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60884af6-f553-4a6c-af13-300047455491", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Log Auditing", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "60884af6-f553-4a6c-af13-300047455491_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json deleted file mode 100644 index e3738e6dccc8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", - "false_positives": [ - "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Service Principal Addition", - "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", - "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json new file mode 100644 index 000000000000..a638ce812fcc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", + "false_positives": [ + "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Service Principal Addition", + "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json new file mode 100644 index 000000000000..0857b4ada564 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", + "false_positives": [ + "A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Service Principal Addition", + "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json deleted file mode 100644 index f3207418cf67..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", - "false_positives": [ - "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange DLP Policy Removed", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "60f3adec-1df9-4104-9c75-b97d9f078b25", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json new file mode 100644 index 000000000000..d22f386e8ae0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json new file mode 100644 index 000000000000..2a2bb8082a85 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json deleted file mode 100644 index a90fdcb1bc42..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Process Network Connection", - "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/" - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json new file mode 100644 index 000000000000..1a4ce1798a1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Network Connection", + "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "610949a1-312f-4e04-bb55-3a79b8c95267_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json new file mode 100644 index 000000000000..284a9f44cb54 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Network Connection", + "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "610949a1-312f-4e04-bb55-3a79b8c95267_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json deleted file mode 100644 index 1048d845d7c2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json +++ /dev/null @@ -1,148 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", - "false_positives": [ - "Legitimate PowerShell scripts that make use of these functions." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Suspicious Discovery Related Windows API Functions", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\")\n", - "references": [ - "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.001", - "name": "Local Groups", - "reference": "https://attack.mitre.org/techniques/T1069/001/" - } - ] - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1087/001/" - } - ] - }, - { - "id": "T1482", - "name": "Domain Trust Discovery", - "reference": "https://attack.mitre.org/techniques/T1482/" - }, - { - "id": "T1135", - "name": "Network Share Discovery", - "reference": "https://attack.mitre.org/techniques/T1135/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - }, - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 108 - }, - "id": "61ac3638-40a3-44b2-855a-985636ca985e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json new file mode 100644 index 000000000000..5a5288dba2b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "61ac3638-40a3-44b2-855a-985636ca985e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json new file mode 100644 index 000000000000..d822ac6afd57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\")\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "61ac3638-40a3-44b2-855a-985636ca985e_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json new file mode 100644 index 000000000000..96295fb71ac6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\")\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "61ac3638-40a3-44b2-855a-985636ca985e_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json deleted file mode 100644 index bcd81655f0e1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AdminSDHolder SDProp Exclusion Added", - "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", - "references": [ - "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", - "https://petri.com/active-directory-security-understanding-adminsdholder-object" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json new file mode 100644 index 000000000000..5cd09ad32c9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdminSDHolder SDProp Exclusion Added", + "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", + "https://petri.com/active-directory-security-understanding-adminsdholder-object" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json new file mode 100644 index 000000000000..704ddf40f878 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdminSDHolder SDProp Exclusion Added", + "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", + "https://petri.com/active-directory-security-understanding-adminsdholder-object" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json new file mode 100644 index 000000000000..2dce6339d225 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdminSDHolder SDProp Exclusion Added", + "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", + "https://petri.com/active-directory-security-understanding-adminsdholder-object" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json deleted file mode 100644 index a99222899af8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", - "references": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.003", - "name": "Distributed Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1021/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.005", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1218/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "622ecb68-fa81-4601-90b5-f8cd661e4520", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json new file mode 100644 index 000000000000..895387ba9847 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement via MSHTA", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "references": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json new file mode 100644 index 000000000000..71eccea2969f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement via MSHTA", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "references": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json deleted file mode 100644 index f6382c854be0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", - "false_positives": [ - "User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Account Configured with Never-Expiring Password", - "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", - "references": [ - "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", - "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "message", - "type": "match_only_text" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.api", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "62a70f6f-3c37-43df-a556-f64fa475fba2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json new file mode 100644 index 000000000000..01c5ecd0040e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", + "false_positives": [ + "User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Account Configured with Never-Expiring Password", + "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"modified-user-account\" and host.os.type:windows and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", + "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json new file mode 100644 index 000000000000..058c410c45f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", + "false_positives": [ + "User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Account Configured with Never-Expiring Password", + "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", + "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json new file mode 100644 index 000000000000..efb2da7cd110 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", + "false_positives": [ + "User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Account Configured with Never-Expiring Password", + "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", + "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index 71103abcc6ef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", - "false_positives": [ - "Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Suspicious Assignment of Controller Service Account", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", - "references": [ - "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.namespace", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.serviceAccountName", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "63c05204-339a-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.001", - "name": "Default Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 - }, - "id": "63c05204-339a-11ed-a261-0242ac120002", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json new file mode 100644 index 000000000000..60a3591f8a8f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", + "false_positives": [ + "Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Assignment of Controller Service Account", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.namespace", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.serviceAccountName", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c05204-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "63c05204-339a-11ed-a261-0242ac120002_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json new file mode 100644 index 000000000000..7e73fdc4a5c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", + "false_positives": [ + "Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Assignment of Controller Service Account", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.namespace", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.serviceAccountName", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c05204-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "63c05204-339a-11ed-a261-0242ac120002_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index 909f69ceb326..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", - "false_positives": [ - "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Denied Service Account Request", - "note": "", - "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", - "references": [ - "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", - "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1613", - "name": "Container and Resource Discovery", - "reference": "https://attack.mitre.org/techniques/T1613/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "63c056a0-339a-11ed-a261-0242ac120002", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json new file mode 100644 index 000000000000..3dbcbba478da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", + "false_positives": [ + "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Denied Service Account Request", + "note": "", + "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "63c056a0-339a-11ed-a261-0242ac120002_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json new file mode 100644 index 000000000000..55add01b48c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", + "false_positives": [ + "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Denied Service Account Request", + "note": "", + "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "63c056a0-339a-11ed-a261-0242ac120002_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index bd85b3905203..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", - "false_positives": [ - "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Anonymous Request Authorized", - "note": "", - "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)\n", - "references": [ - "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Initial Access", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.001", - "name": "Default Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "63c057cc-339a-11ed-a261-0242ac120002", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json new file mode 100644 index 000000000000..ade00ba49597 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", + "false_positives": [ + "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Anonymous Request Authorized", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and (kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\") or not kubernetes.audit.user.username:*)\n and not kubernetes.audit.objectRef.resource:(\"healthz\" or \"livez\" or \"readyz\")\n", + "references": [ + "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Initial Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "63c057cc-339a-11ed-a261-0242ac120002_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json new file mode 100644 index 000000000000..2e0c868b6bb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", + "false_positives": [ + "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Anonymous Request Authorized", + "note": "", + "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)\n", + "references": [ + "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "63c057cc-339a-11ed-a261-0242ac120002_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json deleted file mode 100644 index 7be450b243ce..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Signed Binary", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "type": "eql", - "version": 104 - }, - "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json new file mode 100644 index 000000000000..609cf74461e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Signed Binary", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 102 + }, + "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json new file mode 100644 index 000000000000..6b57362088da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Signed Binary", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 103 + }, + "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json new file mode 100644 index 000000000000..ecf9ae5d42f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Signed Binary", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 104 + }, + "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json deleted file mode 100644 index 82a17e6edd47..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_anomalous_process_all_hosts" - ], - "name": "Anomalous Process For a Linux Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "647fc812-7996-4795-8869-9c4ea595fe88", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json new file mode 100644 index 000000000000..8350086c23b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Linux Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "647fc812-7996-4795-8869-9c4ea595fe88_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json new file mode 100644 index 000000000000..eb8d07a8e890 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Linux Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "647fc812-7996-4795-8869-9c4ea595fe88_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json deleted file mode 100644 index ebfe4de5fd2e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Safari Settings via Defaults Command", - "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", - "references": [ - "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json new file mode 100644 index 000000000000..0bbaf878a304 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Safari Settings via Defaults Command", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json new file mode 100644 index 000000000000..2d24afc4de2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Safari Settings via Defaults Command", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json deleted file mode 100644 index 67b2e1a0ec22..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", - "false_positives": [ - "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting \u003cNodeIP\u003e:\u003cNodePort\u003e. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Exposed Service Created With Type NodePort", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", - "references": [ - "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", - "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.type", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "65f9bccd-510b-40df-8263-334f03174fed", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json new file mode 100644 index 000000000000..3343f889fd0e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", + "false_positives": [ + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting \u003cNodeIP\u003e:\u003cNodePort\u003e. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Exposed Service Created With Type NodePort", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", + "references": [ + "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", + "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", + "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "65f9bccd-510b-40df-8263-334f03174fed_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json new file mode 100644 index 000000000000..aa270c71233c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", + "false_positives": [ + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting \u003cNodeIP\u003e:\u003cNodePort\u003e. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Exposed Service Created With Type NodePort", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", + "references": [ + "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", + "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", + "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "65f9bccd-510b-40df-8263-334f03174fed_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json deleted file mode 100644 index b43d199e4ded..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Mount SMB Share via Command Line", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", - "references": [ - "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", - "https://ss64.com/osx/mount.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json new file mode 100644 index 000000000000..21d2a5d6c802 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Mount SMB Share via Command Line", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", + "references": [ + "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", + "https://ss64.com/osx/mount.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json new file mode 100644 index 000000000000..f003dfd6ff66 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Mount SMB Share via Command Line", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", + "references": [ + "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", + "https://ss64.com/osx/mount.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json deleted file mode 100644 index 74b314735f8f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Termination of ESXI Process", - "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "6641a5af-fb7e-487a-adc4-9e6503365318", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json new file mode 100644 index 000000000000..1095c1962625 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Termination of ESXI Process", + "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "6641a5af-fb7e-487a-adc4-9e6503365318_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json new file mode 100644 index 000000000000..10afe8ef6b49 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Termination of ESXI Process", + "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "6641a5af-fb7e-487a-adc4-9e6503365318_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json deleted file mode 100644 index 9de731f5e7c9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "WebServer Access Logs Deleted", - "note": "", - "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 102 - }, - "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json new file mode 100644 index 000000000000..e1d2ea38c9fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WebServer Access Logs Deleted", + "note": "", + "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json new file mode 100644 index 000000000000..6d28fa9ced13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WebServer Access Logs Deleted", + "note": "", + "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json deleted file mode 100644 index 252fe383f848..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Successful Linux FTP Brute Force Attack Detected", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", - "related_integrations": [ - { - "integration": "auditd", - "package": "auditd_manager", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "auditd.data.addr", - "type": "unknown" - }, - { - "ecs": false, - "name": "auditd.data.terminal", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "related.user", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json new file mode 100644 index 000000000000..6cda25778c1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux FTP Brute Force Attack Detected", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.addr", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json deleted file mode 100644 index 72cb1dfa3551..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1102", - "name": "Web Service", - "reference": "https://attack.mitre.org/techniques/T1102/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1567", - "name": "Exfiltration Over Web Service", - "reference": "https://attack.mitre.org/techniques/T1567/", - "subtechnique": [ - { - "id": "T1567.001", - "name": "Exfiltration to Code Repository", - "reference": "https://attack.mitre.org/techniques/T1567/001/" - }, - { - "id": "T1567.002", - "name": "Exfiltration to Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1567/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "66883649-f908-4a5b-a1e0-54090a1d3a32", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json new file mode 100644 index 000000000000..5bdc882061ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json new file mode 100644 index 000000000000..7fdb278b0d8c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json new file mode 100644 index 000000000000..6b400fc81db9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json deleted file mode 100644 index ecddc44c1a82..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious macOS MS Office Child Process", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", - "references": [ - "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json new file mode 100644 index 000000000000..113c86ce89b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious macOS MS Office Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", + "references": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json new file mode 100644 index 000000000000..487e67d1ea96 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious macOS MS Office Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", + "references": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json deleted file mode 100644 index d2f320120174..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of the msPKIAccountCredentials", - "note": "", - "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", - "references": [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.OperationType", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Data Source: Active Directory", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 - }, - "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json new file mode 100644 index 000000000000..0ea8a4c8bc09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of the msPKIAccountCredentials", + "note": "", + "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Active Directory", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json new file mode 100644 index 000000000000..ae38c50d820e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of the msPKIAccountCredentials", + "note": "", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Active Directory", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json new file mode 100644 index 000000000000..a09e9c5ec65e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of the msPKIAccountCredentials", + "note": "", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Data Source: Active Directory", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json deleted file mode 100644 index b6eac04e541f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Policy", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json new file mode 100644 index 000000000000..c3e41177c72f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json new file mode 100644 index 000000000000..f2aa0220e8ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json deleted file mode 100644 index e7ac06d893e5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", - "false_positives": [ - "Legitimate allowlisting of noisy accounts" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "O365 Mailbox Audit Logging Bypass", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", - "references": [ - "https://twitter.com/misconfig/status/1476144066807140355" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Initial Access", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json new file mode 100644 index 000000000000..1181b2ba43f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json new file mode 100644 index 000000000000..a0c8a2ac872e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json deleted file mode 100644 index 37f003f42640..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", - "false_positives": [ - "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Revoke Okta API Token", - "note": "", - "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json new file mode 100644 index 000000000000..3a7c848facf9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", + "false_positives": [ + "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Revoke Okta API Token", + "note": "", + "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json new file mode 100644 index 000000000000..b40057b4b6fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", + "false_positives": [ + "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Revoke Okta API Token", + "note": "", + "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json deleted file mode 100644 index d8b35b0f653c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Process Terminations", - "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id", - "process.executable", - "user.name" - ], - "value": 10 - }, - "type": "threshold", - "version": 107 - }, - "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json new file mode 100644 index 000000000000..4bd5ee7b721f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 105 + }, + "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json new file mode 100644 index 000000000000..07f0f82cb0d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 106 + }, + "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json new file mode 100644 index 000000000000..9cb07332436e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id", + "process.executable", + "user.name" + ], + "value": 10 + }, + "type": "threshold", + "version": 107 + }, + "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json deleted file mode 100644 index 70cb21aa892c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Image File Execution Options Injection", - "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", - "references": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.012", - "name": "Image File Execution Options Injection", - "reference": "https://attack.mitre.org/techniques/T1546/012/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "6839c821-011d-43bd-bd5b-acff00257226", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json new file mode 100644 index 000000000000..ac3f3730793a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Image File Execution Options Injection", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "6839c821-011d-43bd-bd5b-acff00257226_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json new file mode 100644 index 000000000000..44f5a90287e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Image File Execution Options Injection", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "6839c821-011d-43bd-bd5b-acff00257226_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json deleted file mode 100644 index 2acda3ad0320..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "New or Modified Federation Domain", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1484", - "name": "Domain Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/", - "subtechnique": [ - { - "id": "T1484.002", - "name": "Domain Trust Modification", - "reference": "https://attack.mitre.org/techniques/T1484/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json new file mode 100644 index 000000000000..147d28d38cd2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json new file mode 100644 index 000000000000..0648a5d258b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json deleted file mode 100644 index 590bc6cc5b82..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Okta ThreatInsight Threat Suspected Promotion", - "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", - "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "okta.debug_context.debug_data.threat_suspected", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", - "rule_name_override": "okta.display_message", - "setup": "", - "severity": "medium", - "severity_mapping": [ - { - "field": "okta.debug_context.debug_data.risk_level", - "operator": "equals", - "severity": "low", - "value": "LOW" - }, - { - "field": "okta.debug_context.debug_data.risk_level", - "operator": "equals", - "severity": "medium", - "value": "MEDIUM" - }, - { - "field": "okta.debug_context.debug_data.risk_level", - "operator": "equals", - "severity": "high", - "value": "HIGH" - } - ], - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json new file mode 100644 index 000000000000..a53a470f80b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Detected by Okta ThreatInsight", + "note": "", + "query": "event.dataset:okta.system and event.action:security.threat.detected\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json new file mode 100644 index 000000000000..25ea89df9f0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta ThreatInsight Threat Suspected Promotion", + "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.threat_suspected", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "rule_name_override": "okta.display_message", + "setup": "", + "severity": "medium", + "severity_mapping": [ + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "low", + "value": "LOW" + }, + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "medium", + "value": "MEDIUM" + }, + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "high", + "value": "HIGH" + } + ], + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json deleted file mode 100644 index 5b121a2942ed..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via TelemetryController Scheduled Task Hijack", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", - "references": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json new file mode 100644 index 000000000000..a38c35a893aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via TelemetryController Scheduled Task Hijack", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", + "references": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json new file mode 100644 index 000000000000..2155e6e26caf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via TelemetryController Scheduled Task Hijack", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", + "references": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json deleted file mode 100644 index b8680fe37b48..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", - "false_positives": [ - "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Assigned to a User", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", - "references": [ - "https://support.google.com/a/answer/172176?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.role.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 206 - }, - "id": "68994a6c-c7ba-4e82-b476-26a26877adf6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json new file mode 100644 index 000000000000..e5a7cc0026ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", + "false_positives": [ + "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Assigned to a User", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", + "references": [ + "https://support.google.com/a/answer/172176?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.role.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json new file mode 100644 index 000000000000..3812fcb8cd67 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", + "false_positives": [ + "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", + "references": [ + "https://support.google.com/a/answer/172176?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.role.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json new file mode 100644 index 000000000000..7bd1621e6e0d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", + "false_positives": [ + "Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", + "references": [ + "https://support.google.com/a/answer/172176?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.role.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json deleted file mode 100644 index 4c61bc96b912..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Scheduled Task Created by a Windows Script", - "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", - "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "689b9d57-e4d5-4357-ad17-9c334609d79a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json new file mode 100644 index 000000000000..17dcb5402e50 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Task Created by a Windows Script", + "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", + "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json new file mode 100644 index 000000000000..5e8512716416 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Task Created by a Windows Script", + "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", + "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json deleted file mode 100644 index ab637692fc97..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Group Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json new file mode 100644 index 000000000000..27a6d26daca7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Group Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json new file mode 100644 index 000000000000..ef5b75756658 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Group Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json deleted file mode 100644 index e88f8f073129..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json new file mode 100644 index 000000000000..11dcce7dfe4b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json new file mode 100644 index 000000000000..1c1ef7092a5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json deleted file mode 100644 index 5e306dbc7eeb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Xavier Pich" - ], - "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", - "false_positives": [ - "A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", - "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json new file mode 100644 index 000000000000..8d8a1c77fe3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Xavier Pich" + ], + "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", + "false_positives": [ + "A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", + "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json new file mode 100644 index 000000000000..12fb0140f7c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Xavier Pich" + ], + "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", + "false_positives": [ + "A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", + "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json deleted file mode 100644 index 2c46b4b158d8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps\n\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n\nThis rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\n* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64\n* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca\n* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60\n* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "file.hash.*", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.pe.imphash", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "url.full", - "type": "wildcard" - } - ], - "risk_score": 99, - "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", - "setup": "This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\nThreat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bcaThreat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.module", - "negate": false, - "params": { - "query": "threatintel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.module": "threatintel" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "filebeat-8*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "file.hash.md5", - "type": "mapping", - "value": "threat.indicator.file.hash.md5" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha1", - "type": "mapping", - "value": "threat.indicator.file.hash.sha1" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha256", - "type": "mapping", - "value": "threat.indicator.file.hash.sha256" - } - ] - }, - { - "entries": [ - { - "field": "file.pe.imphash", - "type": "mapping", - "value": "threat.indicator.file.pe.imphash" - } - ] - }, - { - "entries": [ - { - "field": "source.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - }, - { - "entries": [ - { - "field": "destination.ip", - "type": "mapping", - "value": "threat.indicator.ip" - } - ] - }, - { - "entries": [ - { - "field": "url.full", - "type": "mapping", - "value": "threat.indicator.url.full" - } - ] - }, - { - "entries": [ - { - "field": "registry.path", - "type": "mapping", - "value": "threat.indicator.registry.path" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 204 - }, - "id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_103.json b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_103.json new file mode 100644 index 000000000000..7cba50f6049b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_103.json @@ -0,0 +1,235 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", + "severity": "critical", + "tags": [ + "Elastic", + "Windows", + "Elastic Endgame", + "Network", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-8*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 103 + }, + "id": "699e9fdb-b77c-4c01-995c-1c15019b9c43_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_104.json b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_104.json new file mode 100644 index 000000000000..f7ae768ca7cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_104.json @@ -0,0 +1,230 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps:\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-8*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 104 + }, + "id": "699e9fdb-b77c-4c01-995c-1c15019b9c43_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_204.json b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_204.json new file mode 100644 index 000000000000..14c7cf51302c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/699e9fdb-b77c-4c01-995c-1c15019b9c43_204.json @@ -0,0 +1,231 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Indicator Matches\n\nThreat Intel indicator match rules allow matching from a local observation such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations. Matches can also occur on an IP address, registry path, URL, or imphash.\n\nThe matches will be based on the incoming last 30 days feed data so it's important to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation\n\n#### Possible investigation steps\n\n- Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.\n- Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n\n### False Positive Analysis\n\n- For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.\n- It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.\n\n### Response and Remediation\n\n- If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.\n- One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.\n- Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.\n\nThis rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\n* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64\n* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca\n* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60\n* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", + "setup": "This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:\n\nThreat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bcaThreat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-8*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 204 + }, + "id": "699e9fdb-b77c-4c01-995c-1c15019b9c43_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json deleted file mode 100644 index 8285e9f9fca6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Modification of Boot Configuration", - "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json new file mode 100644 index 000000000000..cb10b9e57c7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of Boot Configuration", + "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json new file mode 100644 index 000000000000..62c42b957bdc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of Boot Configuration", + "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json deleted file mode 100644 index 7c5d1fecccd6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Password Recovery Requested", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", - "references": [ - "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json new file mode 100644 index 000000000000..dedee4e5ec1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Password Recovery Requested", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", + "references": [ + "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json new file mode 100644 index 000000000000..4d4734a3883a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Password Recovery Requested", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", + "references": [ + "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json deleted file mode 100644 index 84730b127d1e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", - "false_positives": [ - "Changes to Windows services or a rarely executed child process." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Service Host Child Process - Childless Service", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.012", - "name": "Process Hollowing", - "reference": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json new file mode 100644 index 000000000000..ffe0c21ea51e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", + "false_positives": [ + "Changes to Windows services or a rarely executed child process." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Service Host Child Process - Childless Service", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json new file mode 100644 index 000000000000..9a79fd14e499 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", + "false_positives": [ + "Changes to Windows services or a rarely executed child process." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Service Host Child Process - Childless Service", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json deleted file mode 100644 index 305ddfeeb245..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", - "false_positives": [ - "Legitimate exchange system administration activity." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Exporting Exchange Mailbox via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1005", - "name": "Data from Local System", - "reference": "https://attack.mitre.org/techniques/T1005/" - }, - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.002", - "name": "Remote Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "6aace640-e631-4870-ba8e-5fdda09325db", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json new file mode 100644 index 000000000000..ed21f4f77bda --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json new file mode 100644 index 000000000000..5d08dc0d1a36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json deleted file mode 100644 index df8c3a633783..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sensitive Files Compression", - "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", - "references": [ - "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.001", - "name": "Credentials In Files", - "reference": "https://attack.mitre.org/techniques/T1552/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1560", - "name": "Archive Collected Data", - "reference": "https://attack.mitre.org/techniques/T1560/", - "subtechnique": [ - { - "id": "T1560.001", - "name": "Archive via Utility", - "reference": "https://attack.mitre.org/techniques/T1560/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json new file mode 100644 index 000000000000..6cbae778429d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Files Compression", + "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", + "references": [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Collection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json new file mode 100644 index 000000000000..19d79098cbfa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Files Compression", + "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", + "references": [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json deleted file mode 100644 index 8bf3ba3a5426..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Computer Account DnsHostName Update", - "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", - "references": [ - "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.DnsHostName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - }, - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json new file mode 100644 index 000000000000..8942c539d443 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Computer Account DnsHostName Update", + "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where host.os.type == \"windows\" and event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where host.os.type == \"windows\" and DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.DnsHostName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json new file mode 100644 index 000000000000..b66b7efeb75c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Computer Account DnsHostName Update", + "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.DnsHostName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json new file mode 100644 index 000000000000..995925f485c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Computer Account DnsHostName Update", + "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.DnsHostName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json deleted file mode 100644 index 8e5c548dc906..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", - "false_positives": [ - "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", - "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Server UM Writing Suspicious Files", - "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json new file mode 100644 index 000000000000..3e6f9fb15da7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", + "false_positives": [ + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", + "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Writing Suspicious Files", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json new file mode 100644 index 000000000000..f8aa5ea16869 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", + "false_positives": [ + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", + "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Writing Suspicious Files", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json deleted file mode 100644 index 4496ee7ef33b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_rare_process_by_host_windows" - ], - "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 106 - }, - "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json new file mode 100644 index 000000000000..953354c28f01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_windows" + ], + "name": "Unusual Process For a Windows Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json new file mode 100644 index 000000000000..8ce0b73a9a00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_windows" + ], + "name": "Unusual Process For a Windows Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 105 + }, + "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json new file mode 100644 index 000000000000..1bdb3de316b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_rare_process_by_host_windows" + ], + "name": "Unusual Process For a Windows Host", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 106 + }, + "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json deleted file mode 100644 index 2426e938a4b8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", - "from": "now-9m", - "history_window_start": "now-15d", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "new_terms_fields": [ - "host.id" - ], - "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", - "references": [ - "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://attack.mitre.org/techniques/T1219/" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.name.caseless", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json new file mode 100644 index 000000000000..b7a4a052b87e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Commonly Abused Remote Access Tool Execution", + "new_terms_fields": [ + "host.id" + ], + "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", + "references": [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://attack.mitre.org/techniques/T1219/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json new file mode 100644 index 000000000000..8e22bb2baa2d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Commonly Abused Remote Access Tool Execution", + "new_terms_fields": [ + "host.id" + ], + "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", + "references": [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://attack.mitre.org/techniques/T1219/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json deleted file mode 100644 index b1689d98e0bc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_process_all_hosts" - ], - "name": "Anomalous Process For a Windows Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 104 - }, - "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json new file mode 100644 index 000000000000..c07963bc6422 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Windows Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json new file mode 100644 index 000000000000..ec3c8971c017 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Windows Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json new file mode 100644 index 000000000000..73ccdbbcf00c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_process_all_hosts" + ], + "name": "Anomalous Process For a Windows Population", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 104 + }, + "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json deleted file mode 100644 index c3a8943d9d7d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AdminSDHolder Backdoor", - "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", - "references": [ - "https://adsecurity.org/?p=1906", - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ObjectDN", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json new file mode 100644 index 000000000000..e1868f68d297 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AdminSDHolder Backdoor", + "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", + "references": [ + "https://adsecurity.org/?p=1906", + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json new file mode 100644 index 000000000000..c2bd2f46a1e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AdminSDHolder Backdoor", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", + "references": [ + "https://adsecurity.org/?p=1906", + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json new file mode 100644 index 000000000000..000de267d577 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AdminSDHolder Backdoor", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", + "references": [ + "https://adsecurity.org/?p=1906", + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json deleted file mode 100644 index d4976de144ac..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Users or Groups via Built-in Commands", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.001", - "name": "Local Groups", - "reference": "https://attack.mitre.org/techniques/T1069/001/" - } - ] - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1087/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json new file mode 100644 index 000000000000..4bb32a904929 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Users or Groups via Built-in Commands", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json new file mode 100644 index 000000000000..2a9a7a563e62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Users or Groups via Built-in Commands", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json deleted file mode 100644 index 9ee4cd46ee8c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", - "false_positives": [ - "Legit Application Crash with rare Werfault commandline value" - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", - "references": [ - "https://twitter.com/SBousseaden/status/1235533224337641473", - "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", - "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json new file mode 100644 index 000000000000..45d5ecfaaeeb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", + "false_positives": [ + "Legit Application Crash with rare Werfault commandline value" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Windows Error Manager Masquerading", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", + "references": [ + "https://twitter.com/SBousseaden/status/1235533224337641473", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json new file mode 100644 index 000000000000..c10e962938ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", + "false_positives": [ + "Legit Application Crash with rare Werfault commandline value" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Windows Error Manager Masquerading", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", + "references": [ + "https://twitter.com/SBousseaden/status/1235533224337641473", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json new file mode 100644 index 000000000000..18b33d974d57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", + "false_positives": [ + "Legit Application Crash with rare Werfault commandline value" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Windows Error Manager Masquerading", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", + "references": [ + "https://twitter.com/SBousseaden/status/1235533224337641473", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json deleted file mode 100644 index d88b460a079c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Security Software Discovery using WMIC", - "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/", - "subtechnique": [ - { - "id": "T1518.001", - "name": "Security Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json new file mode 100644 index 000000000000..c5461dfe5710 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery using WMIC", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json new file mode 100644 index 000000000000..4033e027a2b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery using WMIC", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json deleted file mode 100644 index 32170c6a0875..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Role Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json new file mode 100644 index 000000000000..c56c368f1efa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Role Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json new file mode 100644 index 000000000000..e0ac47ad6acf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Role Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json new file mode 100644 index 000000000000..5718d89b72e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Role Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json deleted file mode 100644 index 849be0c19cbf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", - "false_positives": [ - "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudTrail Log Deleted", - "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "7024e2a0-315d-4334-bb1a-441c593e16ab", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json new file mode 100644 index 000000000000..e2ffbc407edc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", + "false_positives": [ + "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Deleted", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json new file mode 100644 index 000000000000..c7a570ea83bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", + "false_positives": [ + "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudTrail Log Deleted", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json deleted file mode 100644 index 2849d1d0a286..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", - "false_positives": [ - "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Config Resource Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", - "references": [ - "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", - "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "7024e2a0-315d-4334-bb1a-552d604f27bc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json new file mode 100644 index 000000000000..5bd81b5630b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", + "false_positives": [ + "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Config Resource Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json new file mode 100644 index 000000000000..70d6da31e81e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", + "false_positives": [ + "Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Config Resource Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json deleted file mode 100644 index 53ffb2d15183..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via WMI Standard Registry Provider", - "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", - "references": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - }, - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json new file mode 100644 index 000000000000..c166aa237407 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json new file mode 100644 index 000000000000..78f621b93329 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json deleted file mode 100644 index 5ad509a42cd2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json new file mode 100644 index 000000000000..0a51755fd7dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json new file mode 100644 index 000000000000..caf5e3ba3351 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json deleted file mode 100644 index 54fb04d72059..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", - "false_positives": [ - "Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Container Created with Excessive Linux Capabilities", - "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", - "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", - "references": [ - "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", - "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", - "https://man7.org/linux/man-pages/man7/capabilities.7.html", - "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "7164081a-3930-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "7164081a-3930-11ed-a261-0242ac120002", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json new file mode 100644 index 000000000000..71a4de662537 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", + "false_positives": [ + "Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Container Created with Excessive Linux Capabilities", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", + "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", + "references": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", + "https://man7.org/linux/man-pages/man7/capabilities.7.html", + "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "7164081a-3930-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "7164081a-3930-11ed-a261-0242ac120002_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json new file mode 100644 index 000000000000..44d216a2aa4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", + "false_positives": [ + "Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Container Created with Excessive Linux Capabilities", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", + "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", + "references": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", + "https://man7.org/linux/man-pages/man7/capabilities.7.html", + "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "7164081a-3930-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "7164081a-3930-11ed-a261-0242ac120002_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json deleted file mode 100644 index 64a1330de471..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Dynamic Linker Preload Shared Object", - "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and\nevent.action:(updated or renamed or rename)\n", - "references": [ - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json new file mode 100644 index 000000000000..a65f8bf29e90 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Dynamic Linker Preload Shared Object", + "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload\n", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json new file mode 100644 index 000000000000..5dbe2cb30731 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Dynamic Linker Preload Shared Object", + "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload\n", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json new file mode 100644 index 000000000000..e5712619a5ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Dynamic Linker Preload Shared Object", + "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and\nevent.action:(updated or renamed or rename)\n", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json deleted file mode 100644 index c0490892cfe3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.004", - "name": "NTFS File Attributes", - "reference": "https://attack.mitre.org/techniques/T1564/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 109 - }, - "id": "71bccb61-e19b-452f-b104-79a60e546a95", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json new file mode 100644 index 000000000000..4a8babbec735 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json new file mode 100644 index 000000000000..40041e441677 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json new file mode 100644 index 000000000000..5090d38f3772 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json new file mode 100644 index 000000000000..e008b2d91fee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json new file mode 100644 index 000000000000..31710a221685 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json deleted file mode 100644 index c3c15966dea5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious RDP ActiveX Client Loaded", - "note": "", - "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json new file mode 100644 index 000000000000..de350f62b31a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious RDP ActiveX Client Loaded", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json new file mode 100644 index 000000000000..b4928d47a6a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious RDP ActiveX Client Loaded", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json deleted file mode 100644 index 8ee93b08dd06..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", - "false_positives": [ - "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Potential ransomware activity", - "note": "", - "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1486", - "name": "Data Encrypted for Impact", - "reference": "https://attack.mitre.org/techniques/T1486/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "721999d0-7ab2-44bf-b328-6e63367b9b29", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json new file mode 100644 index 000000000000..079369a92078 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json new file mode 100644 index 000000000000..a95e27ae257e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json deleted file mode 100644 index 2ec3d07015d0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Reset MFA Factors for an Okta User Account", - "note": "", - "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "729aa18d-06a6-41c7-b175-b65b739b1181", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json new file mode 100644 index 000000000000..2fd4dfb5ecde --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Reset MFA Factors for an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "729aa18d-06a6-41c7-b175-b65b739b1181_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json new file mode 100644 index 000000000000..ebe362733df8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Reset MFA Factors for an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "729aa18d-06a6-41c7-b175-b65b739b1181_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json deleted file mode 100644 index 8c720b57eea7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", - "references": [ - "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.008", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1546/008/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.008", - "name": "Accessibility Features", - "reference": "https://attack.mitre.org/techniques/T1546/008/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json new file mode 100644 index 000000000000..0eaaaf3d5878 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json new file mode 100644 index 000000000000..fb4db6d39a7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json new file mode 100644 index 000000000000..78984d225d5a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json deleted file mode 100644 index 9dbd072951db..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Environment Variable via Launchctl", - "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", - "references": [ - "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.007", - "name": "Path Interception by PATH Environment Variable", - "reference": "https://attack.mitre.org/techniques/T1574/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json new file mode 100644 index 000000000000..89436af2fa9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Environment Variable via Launchctl", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:launchctl and\n process.args:(setenv and not (JAVA*_HOME or\n RUNTIME_JAVA_HOME or\n DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n ANT_HOME or\n LG_WEBOS_TV_SDK_HOME or\n WEBOS_CLI_TV or\n EDEN_ENV)\n ) and\n not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/usr/local/bin/kr\" or\n \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\") and\n not process.args : \"*.vmoptions\"\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json new file mode 100644 index 000000000000..7f19255c639a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Environment Variable via Launchctl", + "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json deleted file mode 100644 index acacd3086647..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", - "false_positives": [ - "Users working late, or logging in from unusual time zones while traveling, may trigger this rule." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_rare_hour_for_a_user", - "name": "Unusual Hour for a User to Logon", - "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "745b0119-0560-43ba-860a-7235dd8cee8d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json new file mode 100644 index 000000000000..5b3a8d2c5a0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", + "false_positives": [ + "Users working late, or logging in from unusual time zones while traveling, may trigger this rule." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_hour_for_a_user", + "name": "Unusual Hour for a User to Logon", + "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "745b0119-0560-43ba-860a-7235dd8cee8d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json new file mode 100644 index 000000000000..52db3651908e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", + "false_positives": [ + "Users working late, or logging in from unusual time zones while traveling, may trigger this rule." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_hour_for_a_user", + "name": "Unusual Hour for a User to Logon", + "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "745b0119-0560-43ba-860a-7235dd8cee8d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json deleted file mode 100644 index 2d0f2c2732f6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_dns_question", - "name": "Unusual DNS Activity", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.004", - "name": "DNS", - "reference": "https://attack.mitre.org/techniques/T1071/004/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "746edc4c-c54c-49c6-97a1-651223819448", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json new file mode 100644 index 000000000000..6e3730ac1bf5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "746edc4c-c54c-49c6-97a1-651223819448_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json new file mode 100644 index 000000000000..1de6110e0ab2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", + "false_positives": [ + "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_dns_question", + "name": "Unusual DNS Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "746edc4c-c54c-49c6-97a1-651223819448_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json deleted file mode 100644 index 73f47506fd13..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Sysctl File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and not process.name == \"auditbeat\"\n", - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "low", - "tags": [ - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json new file mode 100644 index 000000000000..73db05ab4650 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Sysctl File Event", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and not process.name == \"auditbeat\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "low", + "tags": [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json deleted file mode 100644 index 2e889a49622e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*", - "traces-apm*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: Unauthorized Method", - "query": "http.response.status_code:405\n", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_405" - ], - "related_integrations": [ - { - "package": "apm", - "version": "^8.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "http.response.status_code", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "severity": "medium", - "tags": [ - "Data Source: APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json new file mode 100644 index 000000000000..5a046fefccb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: Unauthorized Method", + "query": "http.response.status_code:405\n", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "75ee75d8-c180-481c-ba88-ee50129a6aef_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_102.json b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_102.json new file mode 100644 index 000000000000..bd4508a5b6dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_102.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: Unauthorized Method", + "query": "http.response.status_code:405\n", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "medium", + "tags": [ + "Data Source: APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "75ee75d8-c180-481c-ba88-ee50129a6aef_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json deleted file mode 100644 index 8c29b229e7fd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via Sudoers File Modification", - "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "76152ca1-71d0-4003-9e37-0983e12832da", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json new file mode 100644 index 000000000000..c14d5bba1c1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Sudoers File Modification", + "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "76152ca1-71d0-4003-9e37-0983e12832da_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json new file mode 100644 index 000000000000..8d9bd083a763 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Sudoers File Modification", + "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "76152ca1-71d0-4003-9e37-0983e12832da_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json deleted file mode 100644 index 3099245e56aa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", - "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Pod Created With HostIPC", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", - "references": [ - "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", - "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", - "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.hostIPC", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "764c8437-a581-4537-8060-1fdb0e92c92d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json new file mode 100644 index 000000000000..0e742c1012fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostIPC", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostIPC", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "764c8437-a581-4537-8060-1fdb0e92c92d_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json new file mode 100644 index 000000000000..78071b55cbba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostIPC", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostIPC", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "764c8437-a581-4537-8060-1fdb0e92c92d_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json deleted file mode 100644 index 7cb73f7dc80f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", - "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", - "references": [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMask", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", - "setup": "", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 6 - }, - "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json new file mode 100644 index 000000000000..a52fcbfed8b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to a Sensitive LDAP Attribute", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "setup": "", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json new file mode 100644 index 000000000000..d9e2424632e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to a Sensitive LDAP Attribute", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "setup": "", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json new file mode 100644 index 000000000000..989ee14b94ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to a Sensitive LDAP Attribute", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "setup": "", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json deleted file mode 100644 index 261a77fff8c1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Creation of Hidden Shared Object File", - "note": "", - "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json new file mode 100644 index 000000000000..9de296eec2fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Shared Object File", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json new file mode 100644 index 000000000000..a356f7946ad6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Shared Object File", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json deleted file mode 100644 index 2a8a71e41185..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", - "references": [ - "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", - "https://github.com/zcgonvh/EfsPotato", - "https://twitter.com/SBousseaden/status/1429530155291193354" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", - "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \u0026quot;contains\u0026quot; and keyword equal \u0026quot;pipe\u0026quot;`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json new file mode 100644 index 000000000000..a5d9a6342710 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", + "references": [ + "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", + "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", + "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \u0026quot;contains\u0026quot; and keyword equal \u0026quot;pipe\u0026quot;`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json new file mode 100644 index 000000000000..850f8c6144c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", + "references": [ + "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", + "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", + "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \u0026quot;contains\u0026quot; and keyword equal \u0026quot;pipe\u0026quot;`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json deleted file mode 100644 index d53633368689..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json new file mode 100644 index 000000000000..386d2c47244f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Suspicious Child Process", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json deleted file mode 100644 index 78dc9e057d38..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Desktop Tunneling Detected", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", - "references": [ - "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1572", - "name": "Protocol Tunneling", - "reference": "https://attack.mitre.org/techniques/T1572/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json new file mode 100644 index 000000000000..aa8c28dca194 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json new file mode 100644 index 000000000000..e916b2d5acce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json deleted file mode 100644 index d1e19f7c95b5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration Command Spawned via WMIPrvSE", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/" - }, - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/" - }, - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/", - "subtechnique": [ - { - "id": "T1016.001", - "name": "Internet Connection Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/001/" - } - ] - }, - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json new file mode 100644 index 000000000000..911c4927951d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration Command Spawned via WMIPrvSE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json new file mode 100644 index 000000000000..7f70429157c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration Command Spawned via WMIPrvSE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json deleted file mode 100644 index 49db0594f3c4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "User Added as Owner for Azure Application", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json new file mode 100644 index 000000000000..db6eeec7c4ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Application", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json new file mode 100644 index 000000000000..369a360d17ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User Added as Owner for Azure Application", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json deleted file mode 100644 index a371aa6c7e40..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Adversary Behavior - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame" - ], - "type": "query", - "version": 102 - }, - "id": "77a3c3df-8ec4-4da4-b758-878f551dee69", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json new file mode 100644 index 000000000000..f03f629becbf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Adversary Behavior - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 101 + }, + "id": "77a3c3df-8ec4-4da4-b758-878f551dee69_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json new file mode 100644 index 000000000000..8065236ddab3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json @@ -0,0 +1,50 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Adversary Behavior - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame" + ], + "type": "query", + "version": 102 + }, + "id": "77a3c3df-8ec4-4da4-b758-878f551dee69_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json deleted file mode 100644 index f83545e48d13..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network-*", - "logs-network_traffic.*", - "packetbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Network Sweep Detected", - "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", - "severity": "medium", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.ip", - "value": 10 - } - ], - "field": [ - "source.ip" - ], - "value": 1 - }, - "type": "threshold", - "version": 1 - }, - "id": "781f8746-2180-4691-890c-4c96d11ca91d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json new file mode 100644 index 000000000000..c689e96b1e5a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-network_traffic.*", + "packetbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Network Sweep Detected", + "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", + "severity": "medium", + "tags": [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "destination.ip", + "value": 10 + } + ], + "field": [ + "source.ip" + ], + "value": 1 + }, + "type": "threshold", + "version": 1 + }, + "id": "781f8746-2180-4691-890c-4c96d11ca91d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json deleted file mode 100644 index f14188641551..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", - "false_positives": [ - "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Added to Google Workspace Domain", - "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json new file mode 100644 index 000000000000..d744cf1ff80c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json new file mode 100644 index 000000000000..55a8b6678542 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json new file mode 100644 index 000000000000..f6e724863aae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json deleted file mode 100644 index dc700e23328c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Privilege Identity Management Role Modified", - "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.\n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", - "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json new file mode 100644 index 000000000000..d170636c1d76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Privilege Identity Management Role Modified", + "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.\n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json new file mode 100644 index 000000000000..d4fef92e4c83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Privilege Identity Management Role Modified", + "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.\n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", + "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json deleted file mode 100644 index 83357f6371c6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", - "false_positives": [ - "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." - ], - "from": "now-60m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "high_distinct_count_error_message", - "name": "Spike in AWS Error Messages", - "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [], - "risk_score": 21, - "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide" - ], - "type": "machine_learning", - "version": 105 - }, - "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json new file mode 100644 index 000000000000..6a9ff16f696d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", + "false_positives": [ + "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_distinct_count_error_message", + "name": "Spike in AWS Error Messages", + "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "ML", + "Machine Learning", + "Investigation Guide" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json new file mode 100644 index 000000000000..5f803179c7f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", + "false_positives": [ + "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." + ], + "from": "now-60m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_distinct_count_error_message", + "name": "Spike in AWS Error Messages", + "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json deleted file mode 100644 index ebd5ecd65223..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unsigned DLL Loaded by Svchost", - "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "dll.Ext.relative_file_creation_time", - "type": "unknown" - }, - { - "ecs": true, - "name": "dll.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "dll.hash.sha256", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json new file mode 100644 index 000000000000..5b23fcfbadc3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Loaded by Svchost", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json new file mode 100644 index 000000000000..7d232fffdada --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Loaded by Svchost", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json deleted file mode 100644 index b13aedbee0a3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", - "false_positives": [ - "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Key Vault Modified", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", - "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.001", - "name": "Credentials In Files", - "reference": "https://attack.mitre.org/techniques/T1552/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json new file mode 100644 index 000000000000..426c37aae8ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", + "false_positives": [ + "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Key Vault Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", + "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json new file mode 100644 index 000000000000..f45f99d7b988 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", + "false_positives": [ + "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Key Vault Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", + "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json deleted file mode 100644 index abfb373d67c2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Exfiltration via Certreq", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", - "references": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certreq/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json new file mode 100644 index 000000000000..ceb044d8034e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Exfiltration via Certreq", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Command and Control", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json new file mode 100644 index 000000000000..e7d5c424609f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Exfiltration via Certreq", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json deleted file mode 100644 index d756df5b693b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", - "false_positives": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Shadow Credentials added to AD Object", - "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", - "references": [ - "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", - "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", - "https://github.com/OTRF/Set-AuditRule", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json new file mode 100644 index 000000000000..29f1df6808e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", + "false_positives": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow Credentials added to AD Object", + "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", + "references": [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json new file mode 100644 index 000000000000..5a5f6e41980a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", + "false_positives": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow Credentials added to AD Object", + "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", + "references": [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json new file mode 100644 index 000000000000..a30c9835ca57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", + "false_positives": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow Credentials added to AD Object", + "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", + "references": [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json deleted file mode 100644 index 0486d822641e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when an ElastiCache security group has been created.", - "false_positives": [ - "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS ElastiCache Security Group Created", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json new file mode 100644 index 000000000000..7b94e0666418 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an ElastiCache security group has been created.", + "false_positives": [ + "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS ElastiCache Security Group Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json new file mode 100644 index 000000000000..b8f0d9bd4deb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an ElastiCache security group has been created.", + "false_positives": [ + "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS ElastiCache Security Group Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json deleted file mode 100644 index eb978e9f4430..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Network Enumeration", - "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - }, - { - "id": "T1135", - "name": "Network Share Discovery", - "reference": "https://attack.mitre.org/techniques/T1135/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json new file mode 100644 index 000000000000..f8ea1e7a9e0b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Network Enumeration", + "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json new file mode 100644 index 000000000000..721741ae98e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Network Enumeration", + "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json deleted file mode 100644 index 9d48bca2f94e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious LSASS Access via MalSecLogon", - "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", - "references": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.GrantedAccess", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetImage", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json new file mode 100644 index 000000000000..774ac9afd499 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious LSASS Access via MalSecLogon", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "references": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json new file mode 100644 index 000000000000..6b517a6a9040 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious LSASS Access via MalSecLogon", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "references": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_106.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_106.json new file mode 100644 index 000000000000..cd39ccb4003e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_106.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious LSASS Access via MalSecLogon", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "references": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json deleted file mode 100644 index a1f11869ed36..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Tampering of Bash Command-Line History", - "note": "", - "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.003", - "name": "Clear Command History", - "reference": "https://attack.mitre.org/techniques/T1070/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 102 - }, - "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json new file mode 100644 index 000000000000..a99283f09ce6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Tampering of Bash Command-Line History", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json new file mode 100644 index 000000000000..c8d0e86c6a31 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Tampering of Bash Command-Line History", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json deleted file mode 100644 index 67c250e78109..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", - "false_positives": [ - "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Bitlocker Setting Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting \u003e Audit` and `Investigation \u003e Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json new file mode 100644 index 000000000000..1cf1756deb24 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", + "false_positives": [ + "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Bitlocker Setting Disabled", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json new file mode 100644 index 000000000000..4fa9af0077d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", + "false_positives": [ + "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Bitlocker Setting Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting \u003e Audit` and `Investigation \u003e Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json new file mode 100644 index 000000000000..bf0da5bf5dfe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", + "false_positives": [ + "Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Bitlocker Setting Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting \u003e Audit` and `Investigation \u003e Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json deleted file mode 100644 index 003ddc7846c9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", - "false_positives": [ - "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "7ceb2216-47dd-4e64-9433-cddc99727623", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json new file mode 100644 index 000000000000..9f8eb4658a64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", + "false_positives": [ + "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "7ceb2216-47dd-4e64-9433-cddc99727623_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json new file mode 100644 index 000000000000..6a2cebea9eb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", + "false_positives": [ + "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "7ceb2216-47dd-4e64-9433-cddc99727623_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json deleted file mode 100644 index 5b7d67433049..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WMIC XSL Script Execution", - "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json new file mode 100644 index 000000000000..9981dcce3c63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMIC XSL Script Execution", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json new file mode 100644 index 000000000000..157fcd79d835 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMIC XSL Script Execution", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json deleted file mode 100644 index 3fddd66c0ddf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "New Systemd Timer Created", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", - "references": [ - "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.006", - "name": "Systemd Timers", - "reference": "https://attack.mitre.org/techniques/T1053/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "7fb500fa-8e24-4bd1-9480-2a819352602c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json new file mode 100644 index 000000000000..66680a1e69ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Timer Created", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.006", + "name": "Systemd Timers", + "reference": "https://attack.mitre.org/techniques/T1053/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json new file mode 100644 index 000000000000..7a5cf87fda44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Timer Created", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.006", + "name": "Systemd Timers", + "reference": "https://attack.mitre.org/techniques/T1053/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json deleted file mode 100644 index 511028c3aa71..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", - "false_positives": [ - "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Kernel Modules via Proc", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and \nfile.path == \"/proc/modules\" and not process.parent.pid == 1\n", - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "80084fa9-8677-4453-8680-b891d3c0c778", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json new file mode 100644 index 000000000000..30ced422f231 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules via Proc", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and \nfile.path == \"/proc/modules\" and not process.parent.pid == 1\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "80084fa9-8677-4453-8680-b891d3c0c778_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json deleted file mode 100644 index 35bc609f6bb5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", - "false_positives": [ - "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." - ], - "from": "now-2h", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_city", - "name": "Unusual City For an AWS Command", - "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [], - "risk_score": 21, - "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide" - ], - "type": "machine_learning", - "version": 105 - }, - "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json new file mode 100644 index 000000000000..4eac711b3c8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_city", + "name": "Unusual City For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "ML", + "Machine Learning", + "Investigation Guide" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json new file mode 100644 index 000000000000..acbdfc8a600c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_city", + "name": "Unusual City For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json deleted file mode 100644 index 68f7b34f1ee7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Process Injection - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "80c52164-c82a-402c-9964-852533d58be1", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "80c52164-c82a-402c-9964-852533d58be1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json new file mode 100644 index 000000000000..62309838f5f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "80c52164-c82a-402c-9964-852533d58be1_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json new file mode 100644 index 000000000000..c1925dcee3d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "80c52164-c82a-402c-9964-852533d58be1_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json deleted file mode 100644 index e3808d16d72b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "PowerShell Script Block Logging Disabled", - "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", - "references": [ - "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.002", - "name": "Disable Windows Event Logging", - "reference": "https://attack.mitre.org/techniques/T1562/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json new file mode 100644 index 000000000000..0bedca184dc4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PowerShell Script Block Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json new file mode 100644 index 000000000000..3abc8825da1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PowerShell Script Block Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json deleted file mode 100644 index 2a2881a4b2ea..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", - "false_positives": [ - "Legitimate PowerShell Scripts which makes use of compression and encoding." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json new file mode 100644 index 000000000000..55ba193b9060 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of compression and encoding." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Payload Encoded and Compressed", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json new file mode 100644 index 000000000000..5b0878a97b9a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of compression and encoding." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Payload Encoded and Compressed", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json new file mode 100644 index 000000000000..987616240182 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of compression and encoding." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Payload Encoded and Compressed", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json deleted file mode 100644 index 923ce72aa4e8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Temporarily Scheduled Task Creation", - "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 6 - }, - "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json new file mode 100644 index 000000000000..bfeb52f3f7ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Temporarily Scheduled Task Creation", + "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json new file mode 100644 index 000000000000..cb594965fb2f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Temporarily Scheduled Task Creation", + "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json new file mode 100644 index 000000000000..c4157c2c3329 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Temporarily Scheduled Task Creation", + "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json deleted file mode 100644 index 0a68e147d222..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Apple Scripting Execution with Administrator Privileges", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", - "references": [ - "https://discussions.apple.com/thread/2266150" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json new file mode 100644 index 000000000000..782b48880ba3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Scripting Execution with Administrator Privileges", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", + "references": [ + "https://discussions.apple.com/thread/2266150" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json new file mode 100644 index 000000000000..fa4818d6a61f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Scripting Execution with Administrator Privileges", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", + "references": [ + "https://discussions.apple.com/thread/2266150" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json deleted file mode 100644 index 8784868b84fe..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.", - "false_positives": [ - "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Kubernetes Pods Deleted", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Asset Visibility", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "83a1931d-8136-46fc-b7b9-2db4f639e014", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json new file mode 100644 index 000000000000..9c794a721a60 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.", + "false_positives": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Pods Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "83a1931d-8136-46fc-b7b9-2db4f639e014_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json new file mode 100644 index 000000000000..d553a7e068f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.", + "false_positives": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Pods Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Asset Visibility", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "83a1931d-8136-46fc-b7b9-2db4f639e014_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json deleted file mode 100644 index 8f2b9325ae4d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Disable IPTables or Firewall", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json new file mode 100644 index 000000000000..8cf23755e149 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable IPTables or Firewall", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json new file mode 100644 index 000000000000..e29af6da1360 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable IPTables or Firewall", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json deleted file mode 100644 index aae563fcd445..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", - "false_positives": [ - "Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumerating Domain Trusts via NLTEST.EXE", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", - "references": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1482", - "name": "Domain Trust Discovery", - "reference": "https://attack.mitre.org/techniques/T1482/" - }, - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "84da2554-e12a-11ec-b896-f661ea17fbcd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json new file mode 100644 index 000000000000..b844294f5c6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via NLTEST.EXE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json new file mode 100644 index 000000000000..d0586e31923d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via NLTEST.EXE", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json deleted file mode 100644 index d6adfa3bcfbd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Credential Access via Registry", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", - "references": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.header_bytes", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.size", - "type": "long" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 107 - }, - "id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json new file mode 100644 index 000000000000..34e458693e8a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Credential Access via Registry", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json new file mode 100644 index 000000000000..ee86936942e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Credential Access via Registry", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json new file mode 100644 index 000000000000..4d4c8c84ffe5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Credential Access via Registry", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json deleted file mode 100644 index 7a6248577be7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious PowerShell Engine ImageLoad", - "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "library where host.os.type == \"windows\" and\n dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n not \n (\n /* MS Signed Binaries */\n (\n process.code_signature.subject_name : (\n \"Microsoft Windows\",\n \"Microsoft Dynamic Code Publisher\",\n \"Microsoft Corporation\"\n ) and process.code_signature.trusted == true and not process.name : (\"rundll32.exe\", \"regsvr32.exe\")\n ) or\n\n /* Signed Executables from the Program Files folder */\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\"\n ) and process.code_signature.trusted == true\n ) or\n\n /* Lenovo */\n (\n process.executable : (\n \"?:\\\\Windows\\\\Lenovo\\\\*.exe\"\n ) and (process.code_signature.subject_name : \"Lenovo\" and process.code_signature.trusted == true) \n )\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json new file mode 100644 index 000000000000..f41553a61b32 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json new file mode 100644 index 000000000000..b61aa3e4d879 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json new file mode 100644 index 000000000000..a53ab0a8034d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json new file mode 100644 index 000000000000..8fa670e6553b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "library where host.os.type == \"windows\" and\n dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n not \n (\n /* MS Signed Binaries */\n (\n process.code_signature.subject_name : (\n \"Microsoft Windows\",\n \"Microsoft Dynamic Code Publisher\",\n \"Microsoft Corporation\"\n ) and process.code_signature.trusted == true and not process.name : (\"rundll32.exe\", \"regsvr32.exe\")\n ) or\n\n /* Signed Executables from the Program Files folder */\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\"\n ) and process.code_signature.trusted == true\n ) or\n\n /* Lenovo */\n (\n process.executable : (\n \"?:\\\\Windows\\\\Lenovo\\\\*.exe\"\n ) and (process.code_signature.subject_name : \"Lenovo\" and process.code_signature.trusted == true) \n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json deleted file mode 100644 index e485817164a8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", - "false_positives": [ - "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Network Access Control List Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "8623535c-1e17-44e1-aa97-7a0699c3037d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json new file mode 100644 index 000000000000..827ba9e8ea1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", + "false_positives": [ + "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json new file mode 100644 index 000000000000..fa93949dc80b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", + "false_positives": [ + "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Network Access Control List Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json deleted file mode 100644 index a2c874e9eb05..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", - "false_positives": [ - "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Security Group Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "863cdf31-7fd3-41cf-a185-681237ea277b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json new file mode 100644 index 000000000000..da69d2c4b4a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", + "false_positives": [ + "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Security Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "863cdf31-7fd3-41cf-a185-681237ea277b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json new file mode 100644 index 000000000000..5c65ce55bf6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", + "false_positives": [ + "An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Security Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "863cdf31-7fd3-41cf-a185-681237ea277b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json deleted file mode 100644 index b903e399f373..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", - "false_positives": [ - "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Group Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json new file mode 100644 index 000000000000..95bb398d4a79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", + "false_positives": [ + "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json new file mode 100644 index 000000000000..386d2a526d70 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", + "false_positives": [ + "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Group Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json deleted file mode 100644 index dfe93eab4239..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", - "false_positives": [ - "Endpoint Security installers, updaters and post installation verification scripts." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Security Software Discovery via Grep", - "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/", - "subtechnique": [ - { - "id": "T1518.001", - "name": "Security Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json new file mode 100644 index 000000000000..67ac3c5acb78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "false_positives": [ + "Endpoint Security installers, updaters and post installation verification scripts." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery via Grep", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Discovery", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "870aecc0-cea4-4110-af3f-e02e9b373655_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json new file mode 100644 index 000000000000..75d2d2b04314 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "false_positives": [ + "Endpoint Security installers, updaters and post installation verification scripts." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery via Grep", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "870aecc0-cea4-4110-af3f-e02e9b373655_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json deleted file mode 100644 index 50455362d77c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enumeration of Administrator Accounts", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.001", - "name": "Local Groups", - "reference": "https://attack.mitre.org/techniques/T1069/001/" - }, - { - "id": "T1069.002", - "name": "Domain Groups", - "reference": "https://attack.mitre.org/techniques/T1069/002/" - } - ] - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1087/001/" - }, - { - "id": "T1087.002", - "name": "Domain Account", - "reference": "https://attack.mitre.org/techniques/T1087/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "871ea072-1b71-4def-b016-6278b505138d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json new file mode 100644 index 000000000000..ee58813e6b4b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Administrator Accounts", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + }, + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "871ea072-1b71-4def-b016-6278b505138d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json new file mode 100644 index 000000000000..57864f85ddf6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Administrator Accounts", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + }, + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "871ea072-1b71-4def-b016-6278b505138d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json deleted file mode 100644 index 9b7a69a38938..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", - "false_positives": [ - "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EventBridge Rule Disabled or Deleted", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", - "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json new file mode 100644 index 000000000000..33d7211bd101 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", + "false_positives": [ + "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EventBridge Rule Disabled or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json new file mode 100644 index 000000000000..8b8582f6b8ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", + "false_positives": [ + "EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EventBridge Rule Disabled or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json deleted file mode 100644 index 58a20589f91f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Global Administrator Role Assigned", - "note": "", - "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "88671231-6626-4e1b-abb7-6e361a171fbb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json new file mode 100644 index 000000000000..d84308622cdf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json new file mode 100644 index 000000000000..58b40eb0ecc7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json deleted file mode 100644 index 142b5ecd26c0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Sublime Plugin or Application Script Modification", - "note": "", - "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", - "references": [ - "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Client Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json new file mode 100644 index 000000000000..0b19799c98d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sublime Plugin or Application Script Modification", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "88817a33-60d3-411f-ba79-7c905d865b2a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json new file mode 100644 index 000000000000..2a4acf5e2421 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sublime Plugin or Application Script Modification", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "88817a33-60d3-411f-ba79-7c905d865b2a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json deleted file mode 100644 index f4181fa57c39..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WMI Image Load from MS Office", - "note": "", - "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json new file mode 100644 index 000000000000..ff262007fdc7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Image Load from MS Office", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json new file mode 100644 index 000000000000..0c5515ddaa56 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Image Load from MS Office", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json deleted file mode 100644 index de9e079b5847..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", - "false_positives": [ - "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json new file mode 100644 index 000000000000..a2fb9ef0b356 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json new file mode 100644 index 000000000000..24eef96a671c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json new file mode 100644 index 000000000000..cc84f7af7d4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json deleted file mode 100644 index dd8e1479f3b5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", - "false_positives": [ - "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Prompt Network Connection", - "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json new file mode 100644 index 000000000000..22a6d37e93d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Prompt Network Connection", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json new file mode 100644 index 000000000000..c19c74fa7546 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Prompt Network Connection", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json new file mode 100644 index 000000000000..7edcee49fd98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Prompt Network Connection", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json deleted file mode 100644 index 81fc2a1b2917..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via DirectoryService Plugin Modification", - "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", - "references": [ - "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "89fa6cb7-6b53-4de2-b604-648488841ab8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json new file mode 100644 index 000000000000..cb54a28613c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via DirectoryService Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", + "references": [ + "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json new file mode 100644 index 000000000000..63672ca7e910 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via DirectoryService Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", + "references": [ + "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json deleted file mode 100644 index e896f227b140..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Setuid / Setgid Bit Set via chmod", - "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", - "related_integrations": [], - "risk_score": 21, - "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.001", - "name": "Setuid and Setgid", - "reference": "https://attack.mitre.org/techniques/T1548/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json new file mode 100644 index 000000000000..b2ecf1fc7c7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Setuid / Setgid Bit Set via chmod", + "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", + "related_integrations": [], + "risk_score": 21, + "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json new file mode 100644 index 000000000000..0d5f9759e7db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Setuid / Setgid Bit Set via chmod", + "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", + "related_integrations": [], + "risk_score": 21, + "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json deleted file mode 100644 index de983b8c70dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution from a Mounted Device", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.005", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1218/005/" - }, - { - "id": "T1218.010", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1218/010/" - }, - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json new file mode 100644 index 000000000000..3c7f66c90e18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from a Mounted Device", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + }, + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json new file mode 100644 index 000000000000..d7e03c66d243 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from a Mounted Device", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + }, + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json deleted file mode 100644 index 3d96baf7152f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Network Zone", - "note": "", - "query": "event.dataset:okta.system and event.action:zone.deactivate\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json new file mode 100644 index 000000000000..23ad6fd36281 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:zone.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json new file mode 100644 index 000000000000..163f111530cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:zone.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json deleted file mode 100644 index 9d8a7e0956f3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious JAVA Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", - "references": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/christophetd/log4shell-vulnerable-app", - "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", - "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", - "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json new file mode 100644 index 000000000000..bf510cc80963 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious JAVA Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", + "references": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json new file mode 100644 index 000000000000..e064e9303888 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious JAVA Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", + "references": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json deleted file mode 100644 index 0f825e5d24bf..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Executable File Creation with Multiple Extensions", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.007", - "name": "Double File Extension", - "reference": "https://attack.mitre.org/techniques/T1036/007/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json new file mode 100644 index 000000000000..a4af55da1fb2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable File Creation with Multiple Extensions", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.007", + "name": "Double File Extension", + "reference": "https://attack.mitre.org/techniques/T1036/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json new file mode 100644 index 000000000000..5c6fc677258d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable File Creation with Multiple Extensions", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.007", + "name": "Double File Extension", + "reference": "https://attack.mitre.org/techniques/T1036/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json deleted file mode 100644 index bcc363f78b91..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", - "false_positives": [ - "Host Windows Firewall planned system administration changes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Enable Host Network Discovery via Netsh", - "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.004", - "name": "Disable or Modify System Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json new file mode 100644 index 000000000000..0bb035227616 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", + "false_positives": [ + "Host Windows Firewall planned system administration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enable Host Network Discovery via Netsh", + "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json new file mode 100644 index 000000000000..b21215487436 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", + "false_positives": [ + "Host Windows Firewall planned system administration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enable Host Network Discovery via Netsh", + "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json deleted file mode 100644 index a2c4df99415e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", - "false_positives": [ - "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Kubernetes Events Deleted", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json new file mode 100644 index 000000000000..4780d9ccdf3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "false_positives": [ + "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Events Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json new file mode 100644 index 000000000000..0461f080cb03 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "false_positives": [ + "Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Kubernetes Events Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json deleted file mode 100644 index 593316c27b88..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "false_positives": [ - "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RDP (Remote Desktop Protocol) from the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 47, - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", - "timeline_title": "Comprehensive Network Timeline", - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json new file mode 100644 index 000000000000..efe0af6757d6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", + "timeline_title": "Comprehensive Network Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json new file mode 100644 index 000000000000..413e398dc5d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "RDP (Remote Desktop Protocol) from the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", + "timeline_title": "Comprehensive Network Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json deleted file mode 100644 index 36ea8ab76865..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", - "false_positives": [ - "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Child Process of dns.exe", - "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json new file mode 100644 index 000000000000..6b8e27c8ce0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "false_positives": [ + "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process of dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json new file mode 100644 index 000000000000..fe44b5ad2540 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "false_positives": [ + "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process of dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json deleted file mode 100644 index 3980b20973ed..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential SharpRDP Behavior", - "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", - "references": [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.001", - "name": "Remote Desktop Protocol", - "reference": "https://attack.mitre.org/techniques/T1021/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "8c81e506-6e82-4884-9b9a-75d3d252f967", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json new file mode 100644 index 000000000000..cda216987f95 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SharpRDP Behavior", + "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json new file mode 100644 index 000000000000..de51c103ceb3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SharpRDP Behavior", + "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json deleted file mode 100644 index e4a9d69341fa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Ransomware - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 99, - "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", - "severity": "critical", - "tags": [ - "Data Source: Elastic Endgame" - ], - "type": "query", - "version": 101 - }, - "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json new file mode 100644 index 000000000000..827477ec33ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Ransomware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 100 + }, + "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json new file mode 100644 index 000000000000..b7233eb797de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Ransomware - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Data Source: Elastic Endgame" + ], + "type": "query", + "version": 101 + }, + "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json deleted file mode 100644 index 0c03d32a4767..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential SSH Password Guessing", - "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 6 - }, - "id": "8cb84371-d053-4f4f-bce0-c74990e28f28", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json new file mode 100644 index 000000000000..0731824854e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SSH Password Guessing", + "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=2\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json new file mode 100644 index 000000000000..3beba52926f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SSH Password Guessing", + "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=2\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json new file mode 100644 index 000000000000..1976c7eefc41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SSH Password Guessing", + "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json deleted file mode 100644 index 6891ead2da56..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via PKEXEC", - "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", - "references": [ - "https://seclists.org/oss-sec/2022/q1/80", - "https://haxx.in/files/blasty-vs-pkexec.c" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.007", - "name": "Path Interception by PATH Environment Variable", - "reference": "https://attack.mitre.org/techniques/T1574/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json new file mode 100644 index 000000000000..667fe199fbf9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via PKEXEC", + "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", + "references": [ + "https://seclists.org/oss-sec/2022/q1/80", + "https://haxx.in/files/blasty-vs-pkexec.c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json new file mode 100644 index 000000000000..452af282846a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via PKEXEC", + "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", + "references": [ + "https://seclists.org/oss-sec/2022/q1/80", + "https://haxx.in/files/blasty-vs-pkexec.c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json deleted file mode 100644 index e8668c8d60c2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Runbook Deleted", - "note": "", - "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and\n event.outcome:(Success or success)\n", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json new file mode 100644 index 000000000000..362cc692a663 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json new file mode 100644 index 000000000000..24d78ae2b32a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json deleted file mode 100644 index 7d3c1816027b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Port Monitor or Print Processor Registration Abuse", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", - "references": [ - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.010", - "name": "Port Monitors", - "reference": "https://attack.mitre.org/techniques/T1547/010/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.010", - "name": "Port Monitors", - "reference": "https://attack.mitre.org/techniques/T1547/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json new file mode 100644 index 000000000000..aab0eeb63863 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Port Monitor or Print Processor Registration Abuse", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json new file mode 100644 index 000000000000..03543c12cc76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Port Monitor or Print Processor Registration Abuse", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json deleted file mode 100644 index d3c784559ff3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", - "references": [ - "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.003", - "name": "Distributed Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1021/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json new file mode 100644 index 000000000000..f6c29a14a602 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json new file mode 100644 index 000000000000..6a658e3bedd3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json deleted file mode 100644 index f07629ca302f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", - "false_positives": [ - "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json new file mode 100644 index 000000000000..e7112e934b6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json new file mode 100644 index 000000000000..fbe04cb60737 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json deleted file mode 100644 index bde92130d1c8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", - "false_positives": [ - "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Hping Process Activity", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n", - "references": [ - "https://en.wikipedia.org/wiki/Hping" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json new file mode 100644 index 000000000000..a0dfe35b7e14 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Hping Process Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "90169566-2260-4824-b8e4-8615c3b4ed52_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json new file mode 100644 index 000000000000..e7b17da7f9fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Hping Process Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "90169566-2260-4824-b8e4-8615c3b4ed52_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json deleted file mode 100644 index e4ce17ea5950..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", - "false_positives": [ - "Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Deletion of RDS Instance or Cluster", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json new file mode 100644 index 000000000000..2df5df89acfd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", + "false_positives": [ + "Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Deletion of RDS Instance or Cluster", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json new file mode 100644 index 000000000000..78b9ba6f1508 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", + "false_positives": [ + "Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Deletion of RDS Instance or Cluster", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json deleted file mode 100644 index a0817342b2af..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", - "false_positives": [ - "Applications for password management." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Keychain Password Retrieval via Command Line", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", - "references": [ - "https://www.netmeister.org/blog/keychain-passwords.html", - "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", - "https://ss64.com/osx/security.html", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.003", - "name": "Credentials from Web Browsers", - "reference": "https://attack.mitre.org/techniques/T1555/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json new file mode 100644 index 000000000000..dbad5d9f6800 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "false_positives": [ + "Applications for password management." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Keychain Password Retrieval via Command Line", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", + "references": [ + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", + "https://ss64.com/osx/security.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json new file mode 100644 index 000000000000..15775a0461c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "false_positives": [ + "Applications for password management." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Keychain Password Retrieval via Command Line", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", + "references": [ + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", + "https://ss64.com/osx/security.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json deleted file mode 100644 index c593f8582fa3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json new file mode 100644 index 000000000000..4ade8bc13200 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json new file mode 100644 index 000000000000..65448f516569 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json deleted file mode 100644 index 7ac5569d1534..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", - "false_positives": [ - "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS WAF Access Control List Deletion", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", - "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "91d04cd4-47a9-4334-ab14-084abe274d49", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json new file mode 100644 index 000000000000..bb46a6c666f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", + "false_positives": [ + "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Access Control List Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "91d04cd4-47a9-4334-ab14-084abe274d49_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json new file mode 100644 index 000000000000..aad9da176b09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", + "false_positives": [ + "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS WAF Access Control List Deletion", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "91d04cd4-47a9-4334-ab14-084abe274d49_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json deleted file mode 100644 index f19437bc1f4f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", - "false_positives": [ - "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_user_agent", - "name": "Unusual Web User Agent", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "91f02f01-969f-4167-8d77-07827ac4cee0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json new file mode 100644 index 000000000000..c9ee08c39412 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "91f02f01-969f-4167-8d77-07827ac4cee0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json new file mode 100644 index 000000000000..356b91bb67b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", + "false_positives": [ + "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_user_agent", + "name": "Unusual Web User Agent", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "91f02f01-969f-4167-8d77-07827ac4cee0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json deleted file mode 100644 index 91a432767941..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", - "false_positives": [ - "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_rare_urls", - "name": "Unusual Web Request", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "91f02f01-969f-4167-8f55-07827ac3acc9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json new file mode 100644 index 000000000000..ffaa85cd294b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "91f02f01-969f-4167-8f55-07827ac3acc9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json new file mode 100644 index 000000000000..ed61d8464fac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", + "false_positives": [ + "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_rare_urls", + "name": "Unusual Web Request", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "91f02f01-969f-4167-8f55-07827ac3acc9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json deleted file mode 100644 index da635752f54c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", - "false_positives": [ - "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "packetbeat_dns_tunneling", - "name": "DNS Tunneling", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1572", - "name": "Protocol Tunneling", - "reference": "https://attack.mitre.org/techniques/T1572/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "91f02f01-969f-4167-8f66-07827ac3bdd9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json new file mode 100644 index 000000000000..57fdc8f88fe5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json new file mode 100644 index 000000000000..452568773a12 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json @@ -0,0 +1,50 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", + "false_positives": [ + "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "packetbeat_dns_tunneling", + "name": "DNS Tunneling", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json deleted file mode 100644 index 4b2b7e6972a2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1115", - "name": "Clipboard Data", - "reference": "https://attack.mitre.org/techniques/T1115/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json new file mode 100644 index 000000000000..b70527b44fb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "PowerShell", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "92984446-aefb-4d5e-ad12-598042ca80ba_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json new file mode 100644 index 000000000000..9fcaa18a8be0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and \n powershell.file.script_block_text:((Windows.Clipboard or \n Windows.Forms.Clipboard or \n Windows.Forms.TextBox) and \n (\".Paste()\" or \n \"]::GetText\")) or \n powershell.file.script_block_text:Get-Clipboard and \n not user.id:S-1-5-18\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "92984446-aefb-4d5e-ad12-598042ca80ba_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json new file mode 100644 index 000000000000..846c2ba0a038 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "92984446-aefb-4d5e-ad12-598042ca80ba_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json deleted file mode 100644 index e22ea884e2e7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "A scheduled task was created", - "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 21, - "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 7 - }, - "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json new file mode 100644 index 000000000000..d10b1104de0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was created", + "query": "iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json new file mode 100644 index 000000000000..20f08a97e919 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was created", + "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json new file mode 100644 index 000000000000..5d65a49c8654 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was created", + "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json deleted file mode 100644 index 64a71768b928..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", - "false_positives": [ - "Automated processes that use Terraform may lead to false positives." - ], - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Security Token Service (STS) AssumeRole Usage", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "93075852-b0f5-4b8b-89c3-a226efae5726", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json new file mode 100644 index 000000000000..08a36c81a98e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", + "false_positives": [ + "Automated processes that use Terraform may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Token Service (STS) AssumeRole Usage", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "93075852-b0f5-4b8b-89c3-a226efae5726_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json new file mode 100644 index 000000000000..9d9bf69b2e4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", + "false_positives": [ + "Automated processes that use Terraform may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Security Token Service (STS) AssumeRole Usage", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "93075852-b0f5-4b8b-89c3-a226efae5726_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json deleted file mode 100644 index 7a0fda304a44..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sudoers File Modification", - "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json new file mode 100644 index 000000000000..319d54caa237 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudoers File Modification", + "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json new file mode 100644 index 000000000000..b4393926b2a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudoers File Modification", + "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json deleted file mode 100644 index f555de5435b4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS VPC Flow Logs Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json new file mode 100644 index 000000000000..74850590a2f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS VPC Flow Logs Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json new file mode 100644 index 000000000000..3aef4e11a82d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS VPC Flow Logs Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json deleted file mode 100644 index 9f87448fd2b8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", - "false_positives": [ - "Trusted SolarWinds child processes, verify process details such as network connections and file writes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious SolarWinds Child Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json new file mode 100644 index 000000000000..fe21eb7ca914 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", + "false_positives": [ + "Trusted SolarWinds child processes, verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious SolarWinds Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json new file mode 100644 index 000000000000..2174b2bbcaea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", + "false_positives": [ + "Trusted SolarWinds child processes, verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious SolarWinds Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json deleted file mode 100644 index fc16d1554f69..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Encoded Executable Stored in the Registry", - "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - } - ], - "risk_score": 47, - "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json new file mode 100644 index 000000000000..5805e201cc71 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json new file mode 100644 index 000000000000..4cdfd7896665 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json deleted file mode 100644 index bbe51e787486..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", - "false_positives": [ - "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Deletion", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json new file mode 100644 index 000000000000..da404946d639 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json new file mode 100644 index 000000000000..3fcca900c1fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Impact", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json new file mode 100644 index 000000000000..91f0362f0d87 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json deleted file mode 100644 index f3f0ff0a4fdd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", - "false_positives": [ - "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Standard Authentication Module or Configuration", - "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", - "references": [ - "https://github.com/zephrax/linux-pam-backdoor", - "https://github.com/eurialo/pambd", - "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", - "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "93f47b6f-5728-4004-ba00-625083b3dcb0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json new file mode 100644 index 000000000000..041bd7d29469 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Standard Authentication Module or Configuration", + "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json new file mode 100644 index 000000000000..a46154392d02 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Standard Authentication Module or Configuration", + "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Credential Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json new file mode 100644 index 000000000000..499b2484bb13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", + "false_positives": [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Standard Authentication Module or Configuration", + "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", + "references": [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json deleted file mode 100644 index 86cac4728308..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Group Policy Discovery via Microsoft GPResult Utility", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1615", - "name": "Group Policy Discovery", - "reference": "https://attack.mitre.org/techniques/T1615/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json new file mode 100644 index 000000000000..bbe4f871b657 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Group Policy Discovery via Microsoft GPResult Utility", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json new file mode 100644 index 000000000000..0598d0b5a045 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Group Policy Discovery via Microsoft GPResult Utility", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json deleted file mode 100644 index f5c6191fc5e9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", - "false_positives": [ - "Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Custom Gmail Route Created or Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting \u003e Audit and investigation \u003e Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", - "references": [ - "https://support.google.com/a/answer/2685650?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.003", - "name": "Email Forwarding Rule", - "reference": "https://attack.mitre.org/techniques/T1114/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "9510add4-3392-11ed-bd01-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json new file mode 100644 index 000000000000..3b236cdcc1fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", + "false_positives": [ + "Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Gmail Route Created or Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", + "references": [ + "https://support.google.com/a/answer/2685650?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "9510add4-3392-11ed-bd01-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json new file mode 100644 index 000000000000..cff3a6bea371 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", + "false_positives": [ + "Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Gmail Route Created or Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting \u003e Audit and investigation \u003e Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", + "references": [ + "https://support.google.com/a/answer/2685650?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Collection", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "9510add4-3392-11ed-bd01-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json new file mode 100644 index 000000000000..8d94b99f36bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", + "false_positives": [ + "Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Gmail Route Created or Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting \u003e Audit and investigation \u003e Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", + "references": [ + "https://support.google.com/a/answer/2685650?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "9510add4-3392-11ed-bd01-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json deleted file mode 100644 index 851a57d81516..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Scheduled Task Creation", - "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "954ee7c8-5437-49ae-b2d6-2960883898e9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json new file mode 100644 index 000000000000..353c99795724 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json new file mode 100644 index 000000000000..4349f5bb6977 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json deleted file mode 100644 index 14bcc5f2a462..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Suspicious Script with Screenshot Capabilities", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1113", - "name": "Screen Capture", - "reference": "https://attack.mitre.org/techniques/T1113/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "959a7353-1129-4aa7-9084-30746b256a70", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json new file mode 100644 index 000000000000..56be0a50232f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Screenshot Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1113", + "name": "Screen Capture", + "reference": "https://attack.mitre.org/techniques/T1113/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "959a7353-1129-4aa7-9084-30746b256a70_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json new file mode 100644 index 000000000000..3336af9fa796 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Screenshot Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1113", + "name": "Screen Capture", + "reference": "https://attack.mitre.org/techniques/T1113/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "959a7353-1129-4aa7-9084-30746b256a70_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json deleted file mode 100644 index 4e3ce4adae63..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "File made Immutable by Chattr", - "note": "", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/", - "subtechnique": [ - { - "id": "T1222.002", - "name": "Linux and Mac File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json new file mode 100644 index 000000000000..c06521ca55e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "File made Immutable by Chattr", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: \"/lib/systemd/systemd\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.002", + "name": "Linux and Mac File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json new file mode 100644 index 000000000000..a36bbc8d3859 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "File made Immutable by Chattr", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.002", + "name": "Linux and Mac File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json new file mode 100644 index 000000000000..e7223af21ed1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "File made Immutable by Chattr", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.002", + "name": "Linux and Mac File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json deleted file mode 100644 index e6572b3a42c7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", - "false_positives": [ - "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Create Okta API Token", - "note": "", - "query": "event.dataset:okta.system and event.action:system.api_token.create\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json new file mode 100644 index 000000000000..5fcf5beb6292 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", + "false_positives": [ + "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Create Okta API Token", + "note": "", + "query": "event.dataset:okta.system and event.action:system.api_token.create\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json new file mode 100644 index 000000000000..d2fbfe43420d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", + "false_positives": [ + "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Create Okta API Token", + "note": "", + "query": "event.dataset:okta.system and event.action:system.api_token.create\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json deleted file mode 100644 index 0879b8a8be24..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence Through MOTD File Creation Detected", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", - "references": [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "type": "new_terms", - "version": 2 - }, - "id": "96d11d31-9a79-480f-8401-da28b194608f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json new file mode 100644 index 000000000000..6e4caf14d847 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through MOTD File Creation Detected", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "type": "new_terms", + "version": 1 + }, + "id": "96d11d31-9a79-480f-8401-da28b194608f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json new file mode 100644 index 000000000000..cfaeee7c6204 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through MOTD File Creation Detected", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "type": "new_terms", + "version": 2 + }, + "id": "96d11d31-9a79-480f-8401-da28b194608f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json deleted file mode 100644 index 0399acc3d87e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Access to Keychain Credentials Directories", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", - "references": [ - "https://objective-see.com/blog/blog_0x25.html", - "https://securelist.com/calisto-trojan-for-macos/86543/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json new file mode 100644 index 000000000000..d10ddf04e467 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to Keychain Credentials Directories", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", + "references": [ + "https://objective-see.com/blog/blog_0x25.html", + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json new file mode 100644 index 000000000000..56ea6f1e4193 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to Keychain Credentials Directories", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", + "references": [ + "https://objective-see.com/blog/blog_0x25.html", + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json deleted file mode 100644 index 9aa7acd6c9ef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SeDebugPrivilege Enabled by a Suspicious Process", - "note": "", - "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", - "references": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", - "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.EnabledPrivilegeList", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ProcessName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", - "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "97020e61-e591-4191-8a3b-2861a2b887cd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json new file mode 100644 index 000000000000..3de39af5d65e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SeDebugPrivilege Enabled by a Suspicious Process", + "note": "", + "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.EnabledPrivilegeList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "97020e61-e591-4191-8a3b-2861a2b887cd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json new file mode 100644 index 000000000000..a56814618a32 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SeDebugPrivilege Enabled by a Suspicious Process", + "note": "", + "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.EnabledPrivilegeList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "97020e61-e591-4191-8a3b-2861a2b887cd_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json deleted file mode 100644 index 8300ec92dc7f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", - "false_positives": [ - "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "97314185-2568-4561-ae81-f3e480e5e695", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json new file mode 100644 index 000000000000..6eafbf335e0b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json new file mode 100644 index 000000000000..38485abc440b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json deleted file mode 100644 index f1f7bf3d25e5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", - "false_positives": [ - "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Configuration Modification", - "note": "", - "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", - "references": [ - "https://cloud.google.com/storage/docs/key-terms#buckets" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1578", - "name": "Modify Cloud Compute Infrastructure", - "reference": "https://attack.mitre.org/techniques/T1578/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json new file mode 100644 index 000000000000..754ee01b685b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", + "false_positives": [ + "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Configuration Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json new file mode 100644 index 000000000000..8f347c5d0560 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", + "false_positives": [ + "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Configuration Modification", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json deleted file mode 100644 index e2ba17711334..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", - "false_positives": [ - "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS SAML Activity", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "979729e7-0c52-4c4c-b71e-88103304a79f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json new file mode 100644 index 000000000000..4d2ca3264a19 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", + "false_positives": [ + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS SAML Activity", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "979729e7-0c52-4c4c-b71e-88103304a79f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json new file mode 100644 index 000000000000..44c6d4e8ca0d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", + "false_positives": [ + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS SAML Activity", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "979729e7-0c52-4c4c-b71e-88103304a79f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json deleted file mode 100644 index e67a6e2d3c48..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Abuse of Repeated MFA Push Notifications", - "note": "", - "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", - "references": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.email", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json new file mode 100644 index 000000000000..b41ccbbdf399 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Abuse of Repeated MFA Push Notifications", + "note": "", + "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json new file mode 100644 index 000000000000..bf37b566107a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Abuse of Repeated MFA Push Notifications", + "note": "", + "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json deleted file mode 100644 index b72d72447993..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Zoom Child Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - }, - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json new file mode 100644 index 000000000000..e02123a94116 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json new file mode 100644 index 000000000000..24defa46883b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json deleted file mode 100644 index 1f0fc9b2c807..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Renaming of ESXI Files", - "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.original.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.003", - "name": "Rename System Utilities", - "reference": "https://attack.mitre.org/techniques/T1036/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json new file mode 100644 index 000000000000..02940c821970 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI Files", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json new file mode 100644 index 000000000000..1f87aa7860bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI Files", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json deleted file mode 100644 index d547f54f223d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.value", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", - "timeline_title": "Comprehensive Registry Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "97fc44d3-8dae-4019-ae83-298c3015600f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json new file mode 100644 index 000000000000..903b1a2ebdf4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json new file mode 100644 index 000000000000..0d013fb27cbf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json new file mode 100644 index 000000000000..14de65aa45c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json new file mode 100644 index 000000000000..639d6519603c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json deleted file mode 100644 index 259c48b9cbb9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", - "false_positives": [ - "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "eql", - "license": "Elastic License v2", - "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", - "references": [ - "https://support.google.com/drive/answer/2494822" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.drive.visibility", - "type": "unknown" - }, - { - "ecs": true, - "name": "source.user.email", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.004", - "name": "Private Keys", - "reference": "https://attack.mitre.org/techniques/T1552/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "980b70a0-c820-11ed-8799-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json new file mode 100644 index 000000000000..239bd5615e5b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", + "false_positives": [ + "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", + "references": [ + "https://support.google.com/drive/answer/2494822" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.visibility", + "type": "unknown" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json new file mode 100644 index 000000000000..387c49676cb1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", + "false_positives": [ + "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", + "references": [ + "https://support.google.com/drive/answer/2494822" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.visibility", + "type": "unknown" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json deleted file mode 100644 index 07f2b6b91636..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", - "false_positives": [ - "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Service Account Key Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts", - "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "9890ee61-d061-403d-9bf6-64934c51f638", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json new file mode 100644 index 000000000000..187b637ac138 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", + "false_positives": [ + "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Service Account Key Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "9890ee61-d061-403d-9bf6-64934c51f638_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json new file mode 100644 index 000000000000..5437d1f405d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", + "false_positives": [ + "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Service Account Key Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts", + "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "9890ee61-d061-403d-9bf6-64934c51f638_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json deleted file mode 100644 index 3be5f31451bc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", - "false_positives": [ - "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Management Group Role Assignment", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "98995807-5b09-4e37-8a54-5cae5dc932d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json new file mode 100644 index 000000000000..b0bde1bf058c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json new file mode 100644 index 000000000000..a729bbb5e09c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json deleted file mode 100644 index 8cdf1eefb165..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", - "false_positives": [ - "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Snapshot Activity", - "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json new file mode 100644 index 000000000000..85efda3a2892 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Snapshot Activity", + "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Exfiltration", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json new file mode 100644 index 000000000000..b731f4fe502e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Snapshot Activity", + "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json deleted file mode 100644 index aa34f42b1d37..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Process Injection - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json new file mode 100644 index 000000000000..38984f0fe622 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json new file mode 100644 index 000000000000..84e5dae0ce1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json deleted file mode 100644 index 9c7b91004170..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", - "false_positives": [ - "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "MacOS Installer Package Spawns Network Event", - "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", - "references": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings", - "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", - "https://github.com/D00MFist/Mystikal" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json new file mode 100644 index 000000000000..d2e3f8ebbc7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", + "false_positives": [ + "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MacOS Installer Package Spawns Network Event", + "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", + "references": [ + "https://redcanary.com/blog/clipping-silver-sparrows-wings", + "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", + "https://github.com/D00MFist/Mystikal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json new file mode 100644 index 000000000000..df82b05b863e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", + "false_positives": [ + "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MacOS Installer Package Spawns Network Event", + "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", + "references": [ + "https://redcanary.com/blog/clipping-silver-sparrows-wings", + "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", + "https://github.com/D00MFist/Mystikal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json deleted file mode 100644 index a59888b66bf9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via LSASS Memory Dump", - "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", - "references": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.CallTrace", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetImage", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "9960432d-9b26-409f-972b-839a959e79e2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json new file mode 100644 index 000000000000..06b5b0c37432 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via LSASS Memory Dump", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", + "references": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9960432d-9b26-409f-972b-839a959e79e2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json new file mode 100644 index 000000000000..1412faa657a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via LSASS Memory Dump", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", + "references": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9960432d-9b26-409f-972b-839a959e79e2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_106.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_106.json new file mode 100644 index 000000000000..a95a9ff2130c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via LSASS Memory Dump", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", + "references": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "9960432d-9b26-409f-972b-839a959e79e2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json deleted file mode 100644 index 86034c2517b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", - "false_positives": [ - "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_high_count_logon_fails", - "name": "Spike in Failed Logon Events", - "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json new file mode 100644 index 000000000000..743296e563fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", + "false_positives": [ + "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_fails", + "name": "Spike in Failed Logon Events", + "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json new file mode 100644 index 000000000000..1ba30115b6ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", + "false_positives": [ + "A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_fails", + "name": "Spike in Failed Logon Events", + "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json deleted file mode 100644 index a8884dfbb491..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", - "enabled": true, - "exceptions_list": [ - { - "id": "endpoint_list", - "list_id": "endpoint_list", - "namespace_type": "agnostic", - "type": "endpoint" - } - ], - "from": "now-10m", - "index": [ - "logs-endpoint.alerts-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Endpoint Security", - "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "risk_score_mapping": [ - { - "field": "event.risk_score", - "operator": "equals", - "value": "" - } - ], - "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", - "rule_name_override": "message", - "severity": "medium", - "severity_mapping": [ - { - "field": "event.severity", - "operator": "equals", - "severity": "low", - "value": "21" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "medium", - "value": "47" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "high", - "value": "73" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "critical", - "value": "99" - } - ], - "tags": [ - "Data Source: Elastic Defend" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json new file mode 100644 index 000000000000..ed8e2fb2f4b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", + "enabled": true, + "exceptions_list": [ + { + "id": "endpoint_list", + "list_id": "endpoint_list", + "namespace_type": "agnostic", + "type": "endpoint" + } + ], + "from": "now-10m", + "index": [ + "logs-endpoint.alerts-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Endpoint Security", + "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Elastic", + "Endpoint Security" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json new file mode 100644 index 000000000000..35af4988b17d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", + "enabled": true, + "exceptions_list": [ + { + "id": "endpoint_list", + "list_id": "endpoint_list", + "namespace_type": "agnostic", + "type": "endpoint" + } + ], + "from": "now-10m", + "index": [ + "logs-endpoint.alerts-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Endpoint Security", + "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Data Source: Elastic Defend" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json deleted file mode 100644 index 523a5c9907f6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Shadow File Read via Command Line Utilities", - "new_terms_fields": [ - "process.command_line" - ], - "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", - "references": [ - "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.008", - "name": "/etc/passwd and /etc/shadow", - "reference": "https://attack.mitre.org/techniques/T1003/008/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 105 - }, - "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json new file mode 100644 index 000000000000..6b697d8613b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow File Read via Command Line Utilities", + "new_terms_fields": [ + "process.command_line" + ], + "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 105 + }, + "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json new file mode 100644 index 000000000000..80ee361a8621 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Shadow File Read via Command Line Utilities", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and user.name == \"root\"\n and (process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\"))\n and not process.executable:\n (\"/usr/bin/tar\",\n \"/bin/tar\",\n \"/usr/bin/gzip\",\n \"/bin/gzip\",\n \"/usr/bin/zip\",\n \"/bin/zip\",\n \"/usr/bin/stat\",\n \"/bin/stat\",\n \"/usr/bin/cmp\",\n \"/bin/cmp\",\n \"/usr/bin/sudo\",\n \"/bin/sudo\",\n \"/usr/bin/find\",\n \"/bin/find\",\n \"/usr/bin/ls\",\n \"/bin/ls\",\n \"/usr/bin/uniq\",\n \"/bin/uniq\",\n \"/usr/bin/unzip\",\n \"/bin/unzip\",\n \"/usr/sbin/restorecon\",\n \"/sbin/restorecon\")\n and not process.parent.executable: \"/bin/dracut\" and\n not (process.executable : (\"/bin/chown\", \"/usr/bin/chown\") and process.args : \"root:shadow\") and\n not (process.executable : (\"/bin/chmod\", \"/usr/bin/chmod\") and process.args : \"640\")\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json new file mode 100644 index 000000000000..70dce9764c7c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Shadow File Read via Command Line Utilities", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and user.name == \"root\"\n and (process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\"))\n and not process.executable:\n (\"/usr/bin/tar\",\n \"/bin/tar\",\n \"/usr/bin/gzip\",\n \"/bin/gzip\",\n \"/usr/bin/zip\",\n \"/bin/zip\",\n \"/usr/bin/stat\",\n \"/bin/stat\",\n \"/usr/bin/cmp\",\n \"/bin/cmp\",\n \"/usr/bin/sudo\",\n \"/bin/sudo\",\n \"/usr/bin/find\",\n \"/bin/find\",\n \"/usr/bin/ls\",\n \"/bin/ls\",\n \"/usr/bin/uniq\",\n \"/bin/uniq\",\n \"/usr/bin/unzip\",\n \"/bin/unzip\",\n \"/usr/sbin/restorecon\",\n \"/sbin/restorecon\")\n and not process.parent.executable: \"/bin/dracut\" and\n not (process.executable : (\"/bin/chown\", \"/usr/bin/chown\") and process.args : \"root:shadow\") and\n not (process.executable : (\"/bin/chmod\", \"/usr/bin/chmod\") and process.args : \"640\")\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json deleted file mode 100644 index 297ef839a76c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Explorer Child Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json new file mode 100644 index 000000000000..ecfbcb58697f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Explorer Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json new file mode 100644 index 000000000000..a5d87374b6bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Explorer Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json deleted file mode 100644 index 426f79ca3b28..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Scheduled Tasks AT Command Enabled", - "note": "", - "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json new file mode 100644 index 000000000000..af8ef7334f98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Tasks AT Command Enabled", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json new file mode 100644 index 000000000000..a096603be93f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Tasks AT Command Enabled", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json deleted file mode 100644 index ab3025131d66..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via WMI Event Subscription", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", - "references": [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.003", - "name": "Windows Management Instrumentation Event Subscription", - "reference": "https://attack.mitre.org/techniques/T1546/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json new file mode 100644 index 000000000000..461ad1668524 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Event Subscription", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.003", + "name": "Windows Management Instrumentation Event Subscription", + "reference": "https://attack.mitre.org/techniques/T1546/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json new file mode 100644 index 000000000000..f9937e16c475 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Event Subscription", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.003", + "name": "Windows Management Instrumentation Event Subscription", + "reference": "https://attack.mitre.org/techniques/T1546/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json deleted file mode 100644 index c098879b179d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Hosts File Modified", - "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", - "references": [ - "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - } - ], - "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "timeline_title": "Comprehensive File Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json new file mode 100644 index 000000000000..5dae4f3d062e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Hosts File Modified", + "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", + "references": [ + "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Impact", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json new file mode 100644 index 000000000000..bdf0f239bdc6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Hosts File Modified", + "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", + "references": [ + "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json deleted file mode 100644 index e787ee80a497..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Logon followed by Scheduled Task Creation", - "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 6 - }, - "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json new file mode 100644 index 000000000000..ae74b2ac180e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Logon followed by Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json new file mode 100644 index 000000000000..49413c133a3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Logon followed by Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json new file mode 100644 index 000000000000..d61f60387723 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Logon followed by Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json deleted file mode 100644 index 706f59e76772..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", - "false_positives": [ - "Microsoft Windows installers leveraging RunDLL32 for installation." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Shell Activity Started via RunDLL32", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - }, - { - "id": "T1059.003", - "name": "Windows Command Shell", - "reference": "https://attack.mitre.org/techniques/T1059/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json new file mode 100644 index 000000000000..e27a01762355 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Shell Activity Started via RunDLL32", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json new file mode 100644 index 000000000000..7749905d8aaf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Shell Activity Started via RunDLL32", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json deleted file mode 100644 index 2e01cfcf0a6c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by a Script Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/", - "subtechnique": [ - { - "id": "T1127.001", - "name": "MSBuild", - "reference": "https://attack.mitre.org/techniques/T1127/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json new file mode 100644 index 000000000000..8cfe72e6e3ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a Script Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json new file mode 100644 index 000000000000..8019ce996616 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a Script Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json deleted file mode 100644 index d3891a3d90b2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by a System Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/", - "subtechnique": [ - { - "id": "T1127.001", - "name": "MSBuild", - "reference": "https://attack.mitre.org/techniques/T1127/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json new file mode 100644 index 000000000000..8383098de065 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a System Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json new file mode 100644 index 000000000000..93630163e87a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a System Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json deleted file mode 100644 index 898935a5aa70..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.003", - "name": "Rename System Utilities", - "reference": "https://attack.mitre.org/techniques/T1036/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json new file mode 100644 index 000000000000..8e8a5254413d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json new file mode 100644 index 000000000000..7f33418e2755 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json new file mode 100644 index 000000000000..a6622a8cae00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json deleted file mode 100644 index 28cb7b0fe8aa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json new file mode 100644 index 000000000000..e9755b5007d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Trusted Developer Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json new file mode 100644 index 000000000000..6b431caa5259 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Trusted Developer Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json new file mode 100644 index 000000000000..852c80159e58 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Trusted Developer Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json deleted file mode 100644 index f227c61796fe..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started an Unusual Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/", - "subtechnique": [ - { - "id": "T1027.004", - "name": "Compile After Delivery", - "reference": "https://attack.mitre.org/techniques/T1027/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json new file mode 100644 index 000000000000..b00b17555a94 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started an Unusual Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json new file mode 100644 index 000000000000..9c1929e3628b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started an Unusual Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json deleted file mode 100644 index 0dca8a7f2515..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." - ], - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Process Injection by the Microsoft Build Engine", - "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json new file mode 100644 index 000000000000..779227b77131 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json new file mode 100644 index 000000000000..a1e159201615 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json deleted file mode 100644 index 219208f37c5e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", - "false_positives": [ - "Trusted applications persisting via LaunchDaemons" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "LaunchDaemon Creation or Modification and Immediate Loading", - "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", - "references": [ - "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "9d19ece6-c20e-481a-90c5-ccca596537de", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json new file mode 100644 index 000000000000..da6030d61a64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", + "false_positives": [ + "Trusted applications persisting via LaunchDaemons" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LaunchDaemon Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "9d19ece6-c20e-481a-90c5-ccca596537de_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json new file mode 100644 index 000000000000..395dd4a143cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", + "false_positives": [ + "Trusted applications persisting via LaunchDaemons" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LaunchDaemon Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "9d19ece6-c20e-481a-90c5-ccca596537de_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json deleted file mode 100644 index e7aa98fd5189..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_rare_metadata_process" - ], - "name": "Unusual Linux Process Calling the Metadata Service", - "risk_score": 21, - "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.005", - "name": "Cloud Instance Metadata API", - "reference": "https://attack.mitre.org/techniques/T1552/005/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "9d302377-d226-4e12-b54c-1906b5aec4f6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json new file mode 100644 index 000000000000..2781ffb5b4f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_process" + ], + "name": "Unusual Linux Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json new file mode 100644 index 000000000000..413635978bf6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_metadata_process" + ], + "name": "Unusual Linux Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json deleted file mode 100644 index 45f41fb5694b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Protocol Tunneling via EarthWorm", - "note": "", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", - "references": [ - "http://rootkiter.com/EarthWorm/", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1572", - "name": "Protocol Tunneling", - "reference": "https://attack.mitre.org/techniques/T1572/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json new file mode 100644 index 000000000000..0920d48431d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via EarthWorm", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", + "references": [ + "http://rootkiter.com/EarthWorm/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json new file mode 100644 index 000000000000..3648175a9afd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via EarthWorm", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", + "references": [ + "http://rootkiter.com/EarthWorm/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json deleted file mode 100644 index 148e42847c15..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via DCSync", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", - "references": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", - "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", - "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AccessMask", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.Properties", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserName", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.006", - "name": "DCSync", - "reference": "https://attack.mitre.org/techniques/T1003/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json new file mode 100644 index 000000000000..91ac16bf9866 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DCSync", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json new file mode 100644 index 000000000000..0e7c8c9fe4eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DCSync", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json new file mode 100644 index 000000000000..18fb2a42f3b2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DCSync", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json deleted file mode 100644 index 6753571dd5cb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", - "false_positives": [ - "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "File Permission Modification in Writable Directory", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json new file mode 100644 index 000000000000..495f873c2db6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Permission Modification in Writable Directory", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json new file mode 100644 index 000000000000..011bf3d8473d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Permission Modification in Writable Directory", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json deleted file mode 100644 index 58d1c660c943..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Nick Jones", - "Elastic" - ], - "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "history_window_start": "now-15d", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "new_terms_fields": [ - "aws.cloudtrail.user_identity.access_key_id", - "aws.cloudtrail.request_parameters" - ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", - "references": [ - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", - "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "user_agent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 206 - }, - "id": "a00681e3-9ed6-447c-ab2c-be648821c622", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json new file mode 100644 index 000000000000..7094f7221fe6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Access Secret in Secrets Manager", + "note": "## Triage and analysis\n\n### Investigating AWS Access Secret in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using the API `GetSecretValue` action.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Data Protection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json new file mode 100644 index 000000000000..c8ea371bb361 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.request_parameters" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Data Protection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 205 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json new file mode 100644 index 000000000000..f5185971a419 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.request_parameters" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 206 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json deleted file mode 100644 index ff797c249c84..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "A scheduled task was updated", - "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and \n not winlog.event_data.TaskName : \"*Microsoft*\" and \n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\", \n \"\\\\IpamDnsProvisioning\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\", \n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\", \n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and \n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectUserSid", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TaskName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 8 - }, - "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json new file mode 100644 index 000000000000..ff3b20a472c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was updated", + "query": "iam where host.os.type == \"windows\" and event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json new file mode 100644 index 000000000000..d788915f2a9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was updated", + "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json new file mode 100644 index 000000000000..770ad3c7436f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was updated", + "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json new file mode 100644 index 000000000000..135b69c4c486 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "A scheduled task was updated", + "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and \n not winlog.event_data.TaskName : \"*Microsoft*\" and \n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\", \n \"\\\\IpamDnsProvisioning\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\", \n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\", \n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and \n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TaskName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json deleted file mode 100644 index 413ff0d01452..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", - "false_positives": [ - "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Topic Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", - "references": [ - "https://cloud.google.com/pubsub/docs/admin" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json new file mode 100644 index 000000000000..655541c9248e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", + "false_positives": [ + "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/admin" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json new file mode 100644 index 000000000000..75b86dd22309 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", + "false_positives": [ + "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Topic Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/admin" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json deleted file mode 100644 index 27298f213d98..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "InstallUtil Process Making Network Connections", - "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.004", - "name": "InstallUtil", - "reference": "https://attack.mitre.org/techniques/T1218/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "a13167f1-eec2-4015-9631-1fee60406dcf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json new file mode 100644 index 000000000000..1c9fc1cb0310 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "InstallUtil Process Making Network Connections", + "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.004", + "name": "InstallUtil", + "reference": "https://attack.mitre.org/techniques/T1218/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "a13167f1-eec2-4015-9631-1fee60406dcf_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json new file mode 100644 index 000000000000..674b9dc64546 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "InstallUtil Process Making Network Connections", + "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.004", + "name": "InstallUtil", + "reference": "https://attack.mitre.org/techniques/T1218/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "a13167f1-eec2-4015-9631-1fee60406dcf_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json deleted file mode 100644 index ecc331296134..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "File Deletion via Shred", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "a1329140-8de3-4445-9f87-908fb6d824f4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json new file mode 100644 index 000000000000..12c54b2f33fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json new file mode 100644 index 000000000000..f4cf62692e9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json deleted file mode 100644 index 48f356012946..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "note": "", - "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", - "references": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", - "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json new file mode 100644 index 000000000000..1491d84e404d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", + "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json new file mode 100644 index 000000000000..55e9d74481d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "note": "", + "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", + "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json deleted file mode 100644 index 160f41e9dcb5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Subsystem for Linux Distribution Installed", - "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", - "references": [ - "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - }, - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", - "timeline_title": "Comprehensive Registry Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json new file mode 100644 index 000000000000..c16b1a2398fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Distribution Installed", + "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json new file mode 100644 index 000000000000..757f14c38cf3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Distribution Installed", + "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json deleted file mode 100644 index 27b6c885e677..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json new file mode 100644 index 000000000000..5b14fc6b023c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json new file mode 100644 index 000000000000..09c8fb49a2af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json new file mode 100644 index 000000000000..0ab20a7ae69c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", + "enabled": false, + "false_positives": [ + "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts." + ], + "from": "now-24h", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "traces-apm*", + "winlogbeat-*", + "-*elastic-cloud-logs-*" + ], + "interval": "24h", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 1, + "name": "My First Rule", + "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", + "query": "event.kind:\"event\"\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", + "severity": "low", + "tags": [ + "Elastic", + "Example", + "Guided Onboarding", + "Network", + "APM", + "Windows", + "Elastic Endgame" + ], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 1 + }, + "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json new file mode 100644 index 000000000000..c27659204d9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", + "enabled": false, + "false_positives": [ + "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts." + ], + "from": "now-24h", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "traces-apm*", + "winlogbeat-*", + "-*elastic-cloud-logs-*" + ], + "interval": "24h", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 1, + "name": "My First Rule", + "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", + "query": "event.kind:event\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", + "severity": "low", + "tags": [ + "Use Case: Guided Onboarding", + "Data Source: APM", + "OS: Windows", + "Data Source: Elastic Endgame" + ], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 2 + }, + "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json deleted file mode 100644 index b2e5b36f0926..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell Activity via Terminal", - "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", - "https://github.com/WangYihang/Reverse-Shell-Manager", - "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json new file mode 100644 index 000000000000..15de158feb1f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell Activity via Terminal", + "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json new file mode 100644 index 000000000000..375257ae2d9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell Activity via Terminal", + "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json deleted file mode 100644 index 1933ad297867..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", - "from": "now-9m", - "index": [ - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux Group Creation", - "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "group.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json new file mode 100644 index 000000000000..0b195183b12a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Group Creation", + "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json deleted file mode 100644 index e6462d21ddbb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "DNS-over-HTTPS Enabled via Registry", - "note": "", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", - "references": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json new file mode 100644 index 000000000000..888ef85eef71 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS-over-HTTPS Enabled via Registry", + "note": "", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", + "references": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json new file mode 100644 index 000000000000..861d46442187 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS-over-HTTPS Enabled via Registry", + "note": "", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", + "references": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json deleted file mode 100644 index 1ce28a924b9a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", - "false_positives": [ - "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", - "references": [ - "https://support.google.com/a/answer/6089179?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.application.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "a2795334-2499-11ed-9e1a-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json new file mode 100644 index 000000000000..a632baf42002 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", + "references": [ + "https://support.google.com/a/answer/6089179?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json new file mode 100644 index 000000000000..100399ad492e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", + "references": [ + "https://support.google.com/a/answer/6089179?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json new file mode 100644 index 000000000000..3ae589e33e4b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", + "false_positives": [ + "Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", + "references": [ + "https://support.google.com/a/answer/6089179?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.application.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json deleted file mode 100644 index 8a27615a583c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Mailbox Collection Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n )\n", - "references": [ - "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.001", - "name": "Local Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/001/" - }, - { - "id": "T1114.002", - "name": "Remote Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json new file mode 100644 index 000000000000..cb663a938857 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Mailbox Collection Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n )\n", + "references": [ + "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "PowerShell", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json new file mode 100644 index 000000000000..c10b10d862d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Mailbox Collection Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : ( \n \"::olFolderInBox\" or \n Interop.Outlook.olDefaultFolders or \n Microsoft.Exchange.WebServices.Data.FileAttachment or \n Microsoft.Exchange.WebServices.Data.Folder or \n Microsoft.Office.Interop.Outlook)\n", + "references": [ + "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json new file mode 100644 index 000000000000..fc9abb0d1910 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Mailbox Collection Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n )\n", + "references": [ + "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json deleted file mode 100644 index ea63c370f796..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via local SxS Shared Module", - "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", - "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1129", - "name": "Shared Modules", - "reference": "https://attack.mitre.org/techniques/T1129/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json new file mode 100644 index 000000000000..b8caa522f018 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via local SxS Shared Module", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", + "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1129", + "name": "Shared Modules", + "reference": "https://attack.mitre.org/techniques/T1129/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json new file mode 100644 index 000000000000..e43b4d9afe5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via local SxS Shared Module", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", + "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1129", + "name": "Shared Modules", + "reference": "https://attack.mitre.org/techniques/T1129/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json deleted file mode 100644 index 56d1674f094f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Registry File Creation in SMB Share", - "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", - "references": [ - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.header_bytes", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.size", - "type": "long" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json new file mode 100644 index 000000000000..13d3b3acd2ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Registry File Creation in SMB Share", + "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json new file mode 100644 index 000000000000..3ef78157c212 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Registry File Creation in SMB Share", + "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json deleted file mode 100644 index ecd20115acb6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Assume Role Policy Update", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", - "references": [ - "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json new file mode 100644 index 000000000000..8f3b3f7e3bcb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Assume Role Policy Update", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", + "references": [ + "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json new file mode 100644 index 000000000000..c007c86f791c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Assume Role Policy Update", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", + "references": [ + "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json deleted file mode 100644 index 40c793905d10..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", - "false_positives": [ - "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Active Directory PowerShell Sign-in", - "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized access if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings that weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users as exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", - "references": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", - "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.signinlogs.properties.app_display_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.signinlogs.properties.token_issuer_type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json new file mode 100644 index 000000000000..53fac43041ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", + "false_positives": [ + "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory PowerShell Sign-in", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized access if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings that weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users as exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.app_display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.token_issuer_type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json new file mode 100644 index 000000000000..6f9c3d45e8b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", + "false_positives": [ + "Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Active Directory PowerShell Sign-in", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized access if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings that weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users as exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", + "references": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.app_display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.token_issuer_type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json deleted file mode 100644 index b0c92da38d75..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Threat Intel Windows Registry Indicator Match", - "query": "registry.path:*\n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", - "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" - ], - "required_fields": [ - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 99, - "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Rule Type: Indicator Match" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "filebeat-*", - "logs-ti_*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "registry.path", - "type": "mapping", - "value": "threat.indicator.registry.path" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 1 - }, - "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json new file mode 100644 index 000000000000..c27a0d53e9bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Windows Registry Indicator Match", + "query": "registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 1 + }, + "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json deleted file mode 100644 index 988c3290fd6e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious MS Office Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", - "references": [ - "https://www.elastic.co/blog/vulnerability-summary-follina" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.003", - "name": "Windows Command Shell", - "reference": "https://attack.mitre.org/techniques/T1059/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json new file mode 100644 index 000000000000..9d77ca77a8fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Office Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", + "references": [ + "https://www.elastic.co/blog/vulnerability-summary-follina" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Investigation Guide", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "a624863f-a70d-417f-a7d2-7a404638d47f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json new file mode 100644 index 000000000000..78502a8c15ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Office Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", + "references": [ + "https://www.elastic.co/blog/vulnerability-summary-follina" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "a624863f-a70d-417f-a7d2-7a404638d47f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json deleted file mode 100644 index 0117a34fc4f9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Emond Rules Creation or Modification", - "note": "", - "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", - "references": [ - "https://www.xorrior.com/emond-persistence/", - "https://www.sentinelone.com/blog/how-malware-persists-on-macos/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.014", - "name": "Emond", - "reference": "https://attack.mitre.org/techniques/T1546/014/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json new file mode 100644 index 000000000000..6946af1f5700 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Emond Rules Creation or Modification", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/", + "https://www.sentinelone.com/blog/how-malware-persists-on-macos/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json new file mode 100644 index 000000000000..ce2d3186f3ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Emond Rules Creation or Modification", + "note": "", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/", + "https://www.sentinelone.com/blog/how-malware-persists-on-macos/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json deleted file mode 100644 index 00f3ed23fa7f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", - "references": [ - "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json new file mode 100644 index 000000000000..234e8bcccb87 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler SPL File Created", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json new file mode 100644 index 000000000000..d28c98065bec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler SPL File Created", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json new file mode 100644 index 000000000000..85126db18bd6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler SPL File Created", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json deleted file mode 100644 index ee79fd9b8ccc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Credential Acquisition via Registry Hive Dumping", - "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", - "references": [ - "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - }, - { - "id": "T1003.004", - "name": "LSA Secrets", - "reference": "https://attack.mitre.org/techniques/T1003/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json new file mode 100644 index 000000000000..cb0708811ea0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json new file mode 100644 index 000000000000..b8a3fc4b5567 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json deleted file mode 100644 index f95ac52a4672..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.", - "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*", - "traces-apm*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: POST Request Declined", - "query": "http.response.status_code:403 and http.request.method:post\n", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_403" - ], - "related_integrations": [ - { - "package": "apm", - "version": "^8.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "http.request.method", - "type": "keyword" - }, - { - "ecs": true, - "name": "http.response.status_code", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "severity": "medium", - "tags": [ - "Data Source: APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json new file mode 100644 index 000000000000..d7a8f727c1e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: POST Request Declined", + "query": "http.response.status_code:403 and http.request.method:post\n", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102.json b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102.json new file mode 100644 index 000000000000..1772c238f876 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.", + "false_positives": [ + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: POST Request Declined", + "query": "http.response.status_code:403 and http.request.method:post\n", + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "medium", + "tags": [ + "Data Source: APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json deleted file mode 100644 index 0dcf89bafda5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.", - "false_positives": [ - "Approved third-party applications that use Google Drive download URLs.", - "Legitimate publicly shared files from Google Drive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Malicious File Downloaded from Google Drive", - "query": "sequence by host.id, process.entity_id with maxspan=30s\n[any where\n\n /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */\n (event.action in (\"exec\", \"fork\", \"start\", \"load\")) or\n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.args : \"*drive.google.com*\" and process.args : \"*export=download*\" and process.args : \"*confirm=no_antivirus*\")\n]\n\n[network where\n /* Look for DNS requests for Google Drive */\n (dns.question.name : \"drive.google.com\" and dns.question.type : \"A\") or\n\n /* Look for connection attempts to address that resolves to Google */\n (destination.as.organization.name : \"GOOGLE\" and event.action == \"connection_attempted\")\n\n /* NOTE: Add LoLBins if tuning is required\n process.name : (\n \"cmd.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"esentutl.exe\", \"wmic.exe\", \"PowerShell.exe\",\n \"homedrive.exe\",\"regsvr32.exe\", \"mshta.exe\", \"rundll32.exe\", \"cscript.exe\", \"wscript.exe\",\n \"curl\", \"wget\", \"scp\", \"ftp\", \"python\", \"perl\", \"ruby\"))] */\n]\n\n/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */\n[file where event.action == \"creation\" and file.extension : (\n \"exe\", \"dll\", \"scr\", \"jar\", \"pif\", \"app\", \"dmg\", \"pkg\", \"elf\", \"so\", \"bin\", \"deb\", \"rpm\",\"sh\",\"hta\",\"lnk\"\n )\n]\n", - "references": [ - "https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.as.organization.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dns.question.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json new file mode 100644 index 000000000000..9d440ead0f5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.", + "false_positives": [ + "Approved third-party applications that use Google Drive download URLs.", + "Legitimate publicly shared files from Google Drive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Malicious File Downloaded from Google Drive", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n[any where\n\n /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */\n (event.action in (\"exec\", \"fork\", \"start\", \"load\")) or\n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.args : \"*drive.google.com*\" and process.args : \"*export=download*\" and process.args : \"*confirm=no_antivirus*\")\n]\n\n[network where\n /* Look for DNS requests for Google Drive */\n (dns.question.name : \"drive.google.com\" and dns.question.type : \"A\") or\n\n /* Look for connection attempts to address that resolves to Google */\n (destination.as.organization.name : \"GOOGLE\" and event.action == \"connection_attempted\")\n\n /* NOTE: Add LoLBins if tuning is required\n process.name : (\n \"cmd.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"esentutl.exe\", \"wmic.exe\", \"PowerShell.exe\",\n \"homedrive.exe\",\"regsvr32.exe\", \"mshta.exe\", \"rundll32.exe\", \"cscript.exe\", \"wscript.exe\",\n \"curl\", \"wget\", \"scp\", \"ftp\", \"python\", \"perl\", \"ruby\"))] */\n]\n\n/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */\n[file where event.action == \"creation\" and file.extension : (\n \"exe\", \"dll\", \"scr\", \"jar\", \"pif\", \"app\", \"dmg\", \"pkg\", \"elf\", \"so\", \"bin\", \"deb\", \"rpm\",\"sh\",\"hta\",\"lnk\"\n )\n]\n", + "references": [ + "https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.as.organization.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json deleted file mode 100644 index a7649732c98b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", - "false_positives": [ - "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json new file mode 100644 index 000000000000..cac27ffb1b64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json new file mode 100644 index 000000000000..0ee1df0ef5b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json deleted file mode 100644 index 175cd1a33fe2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Password Policy Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.setting.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", - "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json new file mode 100644 index 000000000000..a7ecf24fafa0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json new file mode 100644 index 000000000000..2acc4e342971 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json new file mode 100644 index 000000000000..04f6349c88ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json deleted file mode 100644 index 1029c2524713..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Hidden Run Key Detected", - "note": "", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", - "references": [ - "https://github.com/outflanknl/SharpHide", - "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json new file mode 100644 index 000000000000..97b87e544f89 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Hidden Run Key Detected", + "note": "", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "references": [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json new file mode 100644 index 000000000000..b56778c3d07f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Hidden Run Key Detected", + "note": "", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "references": [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json deleted file mode 100644 index 9901863631da..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", - "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "IPSEC NAT Traversal Port Activity", - "query": "event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json new file mode 100644 index 000000000000..8032c2eee4cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IPSEC NAT Traversal Port Activity", + "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json new file mode 100644 index 000000000000..8cf5893a1a38 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "IPSEC NAT Traversal Port Activity", + "query": "event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500\n", + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json deleted file mode 100644 index b8f92a73397b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", - "false_positives": [ - "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Custom Role Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/understanding-custom-roles" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "aa8007f0-d1df-49ef-8520-407857594827", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json new file mode 100644 index 000000000000..e4eb0c6a662f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", + "false_positives": [ + "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Custom Role Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/understanding-custom-roles" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "aa8007f0-d1df-49ef-8520-407857594827_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json new file mode 100644 index 000000000000..c80d4cf2a4e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", + "false_positives": [ + "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Custom Role Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/understanding-custom-roles" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "aa8007f0-d1df-49ef-8520-407857594827_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json deleted file mode 100644 index 055bcf245c91..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Log File Deletion", - "note": "", - "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.002", - "name": "Clear Linux or Mac System Logs", - "reference": "https://attack.mitre.org/techniques/T1070/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "aa895aea-b69c-4411-b110-8d7599634b30", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json new file mode 100644 index 000000000000..d07a6fa63ef3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Log File Deletion", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "aa895aea-b69c-4411-b110-8d7599634b30_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json new file mode 100644 index 000000000000..a5f8fd540b83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Log File Deletion", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "aa895aea-b69c-4411-b110-8d7599634b30_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json deleted file mode 100644 index 750d7262fc81..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", - "references": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 107 - }, - "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json new file mode 100644 index 000000000000..2b33e279993f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json new file mode 100644 index 000000000000..00094fc9c48f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json new file mode 100644 index 000000000000..a645daeefe87 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json new file mode 100644 index 000000000000..dce684546e91 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json deleted file mode 100644 index aa5889389c9a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json +++ /dev/null @@ -1,248 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Threat Intel Hash Indicator Match", - "query": "file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* \n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", - "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" - ], - "required_fields": [ - { - "ecs": false, - "name": "dll.hash.*", - "type": "unknown" - }, - { - "ecs": true, - "name": "dll.pe.imphash", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.hash.*", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.pe.imphash", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.hash.*", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.pe.imphash", - "type": "keyword" - } - ], - "risk_score": 99, - "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Rule Type: Indicator Match" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "filebeat-*", - "logs-ti_*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "file.hash.md5", - "type": "mapping", - "value": "threat.indicator.file.hash.md5" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha1", - "type": "mapping", - "value": "threat.indicator.file.hash.sha1" - } - ] - }, - { - "entries": [ - { - "field": "file.hash.sha256", - "type": "mapping", - "value": "threat.indicator.file.hash.sha256" - } - ] - }, - { - "entries": [ - { - "field": "file.pe.imphash", - "type": "mapping", - "value": "threat.indicator.file.pe.imphash" - } - ] - }, - { - "entries": [ - { - "field": "dll.hash.md5", - "type": "mapping", - "value": "threat.indicator.file.hash.md5" - } - ] - }, - { - "entries": [ - { - "field": "dll.hash.sha1", - "type": "mapping", - "value": "threat.indicator.file.hash.sha1" - } - ] - }, - { - "entries": [ - { - "field": "dll.hash.sha256", - "type": "mapping", - "value": "threat.indicator.file.hash.sha256" - } - ] - }, - { - "entries": [ - { - "field": "process.hash.md5", - "type": "mapping", - "value": "threat.indicator.file.hash.md5" - } - ] - }, - { - "entries": [ - { - "field": "process.hash.sha1", - "type": "mapping", - "value": "threat.indicator.file.hash.sha1" - } - ] - }, - { - "entries": [ - { - "field": "process.hash.sha256", - "type": "mapping", - "value": "threat.indicator.file.hash.sha256" - } - ] - }, - { - "entries": [ - { - "field": "dll.pe.imphash", - "type": "mapping", - "value": "threat.indicator.file.pe.imphash" - } - ] - }, - { - "entries": [ - { - "field": "process.pe.imphash", - "type": "mapping", - "value": "threat.indicator.file.pe.imphash" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 1 - }, - "id": "aab184d3-72b3-4639-b242-6597c99d8bca", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json new file mode 100644 index 000000000000..45c415286155 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json @@ -0,0 +1,248 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Hash Indicator Match", + "query": "file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* \n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.pe.imphash", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.pe.imphash", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "file.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "dll.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + }, + { + "entries": [ + { + "field": "process.pe.imphash", + "type": "mapping", + "value": "threat.indicator.file.pe.imphash" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 1 + }, + "id": "aab184d3-72b3-4639-b242-6597c99d8bca_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json deleted file mode 100644 index 119d2f44983d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", - "references": [ - "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json new file mode 100644 index 000000000000..f04bd59f815a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Execution via File Shares", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "references": [ + "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json new file mode 100644 index 000000000000..ebb7016ce022 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Execution via File Shares", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "references": [ + "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json new file mode 100644 index 000000000000..6acf6e62b8ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Execution via File Shares", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "references": [ + "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json deleted file mode 100644 index b13eec0bc82c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_rare_metadata_process" - ], - "name": "Unusual Windows Process Calling the Metadata Service", - "risk_score": 21, - "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.005", - "name": "Cloud Instance Metadata API", - "reference": "https://attack.mitre.org/techniques/T1552/005/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "abae61a8-c560-4dbd-acca-1e1438bff36b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json new file mode 100644 index 000000000000..10fe4866fdd9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_process" + ], + "name": "Unusual Windows Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json new file mode 100644 index 000000000000..207be73a11e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_process" + ], + "name": "Unusual Windows Process Calling the Metadata Service", + "risk_score": 21, + "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json deleted file mode 100644 index 5ea7a372ac2c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Login Hook", - "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", - "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", - "references": [ - "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1647", - "name": "Plist File Modification", - "reference": "https://attack.mitre.org/techniques/T1647/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json new file mode 100644 index 000000000000..1e7685652b62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Login Hook", + "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json new file mode 100644 index 000000000000..4730ff43ecd3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Login Hook", + "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json deleted file mode 100644 index e2ee558003f4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", - "false_positives": [ - "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious WerFault Child Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", - "references": [ - "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", - "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", - "https://blog.menasec.net/2021/01/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json new file mode 100644 index 000000000000..489f3bdc07ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "https://blog.menasec.net/2021/01/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json new file mode 100644 index 000000000000..e29958976931 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "https://blog.menasec.net/2021/01/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json deleted file mode 100644 index 5ff05fec458b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", - "false_positives": [ - "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." - ], - "from": "now-2h", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_username", - "name": "Unusual AWS Command for a User", - "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [], - "risk_score": 21, - "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide" - ], - "type": "machine_learning", - "version": 105 - }, - "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json new file mode 100644 index 000000000000..1df9135b3ec0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", + "false_positives": [ + "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_username", + "name": "Unusual AWS Command for a User", + "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "ML", + "Machine Learning", + "Investigation Guide" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json new file mode 100644 index 000000000000..71bfdfa1a94f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", + "false_positives": [ + "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_username", + "name": "Unusual AWS Command for a User", + "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json deleted file mode 100644 index 95e222d2b578..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Invoke-Mimikatz PowerShell Script", - "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", - "references": [ - "https://attack.mitre.org/software/S0002/", - "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json new file mode 100644 index 000000000000..bbed09535533 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Invoke-Mimikatz PowerShell Script", + "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", + "references": [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json new file mode 100644 index 000000000000..5613990b2c6c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Invoke-Mimikatz PowerShell Script", + "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", + "references": [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json deleted file mode 100644 index 398ad87fee56..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", - "false_positives": [ - "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "note": "## Triage and analysis\n\n### Investigating API Access Granted via Domain-Wide Delegation of Authority\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", - "references": [ - "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json new file mode 100644 index 000000000000..6c75dc13bbd3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", + "false_positives": [ + "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", + "references": [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json new file mode 100644 index 000000000000..ba78ac1be438 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", + "false_positives": [ + "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "note": "## Triage and analysis\n\n### Investigating API Access Granted via Domain-Wide Delegation of Authority\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", + "references": [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json new file mode 100644 index 000000000000..562cb587b282 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", + "false_positives": [ + "Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "note": "## Triage and analysis\n\n### Investigating API Access Granted via Domain-Wide Delegation of Authority\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", + "references": [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json deleted file mode 100644 index 25c6464fb86d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", - "false_positives": [ - "Processes such as MS Office using IEproxy to render HTML content." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Command and Control via Internet Explorer", - "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1559", - "name": "Inter-Process Communication", - "reference": "https://attack.mitre.org/techniques/T1559/", - "subtechnique": [ - { - "id": "T1559.001", - "name": "Component Object Model", - "reference": "https://attack.mitre.org/techniques/T1559/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json new file mode 100644 index 000000000000..a987830d6beb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", + "false_positives": [ + "Processes such as MS Office using IEproxy to render HTML content." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Command and Control via Internet Explorer", + "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json new file mode 100644 index 000000000000..82f5c5f595f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", + "false_positives": [ + "Processes such as MS Office using IEproxy to render HTML content." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Command and Control via Internet Explorer", + "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json deleted file mode 100644 index 1138f3c9d237..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential macOS SSH Brute Force Detected", - "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", - "references": [ - "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id" - ], - "value": 20 - }, - "type": "threshold", - "version": 104 - }, - "id": "ace1e989-a541-44df-93a8-a8b0591b63c0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json new file mode 100644 index 000000000000..d8ec95d65824 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential macOS SSH Brute Force Detected", + "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", + "references": [ + "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 20 + }, + "type": "threshold", + "version": 103 + }, + "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json new file mode 100644 index 000000000000..c98c0cc4184d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential macOS SSH Brute Force Detected", + "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", + "references": [ + "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 20 + }, + "type": "threshold", + "version": 104 + }, + "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json deleted file mode 100644 index 6b575ab95676..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Managed Code Hosting Process", - "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", - "references": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json new file mode 100644 index 000000000000..a84a96de6172 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Managed Code Hosting Process", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", + "references": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json new file mode 100644 index 000000000000..89029cb29e63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Managed Code Hosting Process", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", + "references": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json deleted file mode 100644 index 2d2529ca4d33..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Signed Proxy Execution via MS Work Folders", - "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", - "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", - "https://twitter.com/ElliotKillick/status/1449812843772227588", - "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "ad0d2742-9a49-11ec-8d6b-acde48001122", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json new file mode 100644 index 000000000000..fefe639a3af8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Signed Proxy Execution via MS Work Folders", + "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", + "https://twitter.com/ElliotKillick/status/1449812843772227588", + "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json new file mode 100644 index 000000000000..40dc7338a3d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Signed Proxy Execution via MS Work Folders", + "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", + "https://twitter.com/ElliotKillick/status/1449812843772227588", + "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json deleted file mode 100644 index c904541fde8c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", - "false_positives": [ - "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Custom Admin Role Created", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json new file mode 100644 index 000000000000..9fe6dd740834 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Admin Role Created", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json new file mode 100644 index 000000000000..a5483aea4511 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Admin Role Created", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json new file mode 100644 index 000000000000..ead1aa1021ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", + "false_positives": [ + "Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Custom Admin Role Created", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json deleted file mode 100644 index 607b804662df..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json new file mode 100644 index 000000000000..5d1daf55eb95 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Portable Executable Encoded in Powershell Script", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json new file mode 100644 index 000000000000..ce493975d00c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Portable Executable Encoded in Powershell Script", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json new file mode 100644 index 000000000000..1be08a57349f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Portable Executable Encoded in Powershell Script", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json deleted file mode 100644 index 07ae165ee302..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kerberos Cached Credentials Dumping", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", - "references": [ - "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", - "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.003", - "name": "Kerberoasting", - "reference": "https://attack.mitre.org/techniques/T1558/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json new file mode 100644 index 000000000000..f43e08082b58 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Cached Credentials Dumping", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", + "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json new file mode 100644 index 000000000000..6f36588574a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Cached Credentials Dumping", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", + "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json deleted file mode 100644 index 9af28deb61a2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", - "false_positives": [ - "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "File Transfer or Listener Established via Netcat", - "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", - "references": [ - "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat", - "https://www.hackers-arise.com/hacking-fundamentals", - "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", - "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json new file mode 100644 index 000000000000..effa37dcd27e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Transfer or Listener Established via Netcat", + "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat", + "https://www.hackers-arise.com/hacking-fundamentals", + "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", + "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json new file mode 100644 index 000000000000..f208b386b33f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Transfer or Listener Established via Netcat", + "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat", + "https://www.hackers-arise.com/hacking-fundamentals", + "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", + "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json deleted file mode 100644 index 1a1be45914f0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution via Microsoft Office Add-Ins", - "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", - "references": [ - "https://github.com/Octoberfest7/XLL_Phishing", - "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1137", - "name": "Office Application Startup", - "reference": "https://attack.mitre.org/techniques/T1137/", - "subtechnique": [ - { - "id": "T1137.006", - "name": "Add-ins", - "reference": "https://attack.mitre.org/techniques/T1137/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json new file mode 100644 index 000000000000..9a9a7fded2b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Microsoft Office Add-Ins", + "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", + "references": [ + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json new file mode 100644 index 000000000000..9a8d4a3b2c7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Microsoft Office Add-Ins", + "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", + "references": [ + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json deleted file mode 100644 index b14e1cb4d093..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Shared Object Created or Changed by Previously Unknown Process", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name:(* and not (5 or dockerd or dpkg or rpm or snapd))\n", - "references": [ - "https://threatpost.com/sneaky-malware-backdoors-linux/180158/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json new file mode 100644 index 000000000000..d1ab60975a62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Shared Object Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name:(* and not (5 or dockerd or dpkg or rpm or snapd))\n", + "references": [ + "https://threatpost.com/sneaky-malware-backdoors-linux/180158/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json deleted file mode 100644 index 28391602b5ff..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", - "false_positives": [ - "Legitimate scheduled tasks may be created during installation of new software." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Local Scheduled Task Creation", - "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", - "references": [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.IntegrityLevel", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json new file mode 100644 index 000000000000..5c43ebfe5951 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Scheduled Task Creation", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json new file mode 100644 index 000000000000..7af05eda06ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Scheduled Task Creation", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json deleted file mode 100644 index 021262586da3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Timestomping using Touch Command", - "note": "", - "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.006", - "name": "Timestomp", - "reference": "https://attack.mitre.org/techniques/T1070/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 102 - }, - "id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json new file mode 100644 index 000000000000..559cf40d3022 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Timestomping using Touch Command", + "note": "", + "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "b0046934-486e-462f-9487-0d4cf9e429c6_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json new file mode 100644 index 000000000000..69e23190f161 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Timestomping using Touch Command", + "note": "", + "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "b0046934-486e-462f-9487-0d4cf9e429c6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json deleted file mode 100644 index a2a4bc010d01..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "TCC Bypass via Mounted APFS Snapshot Access", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", - "references": [ - "https://theevilbit.github.io/posts/cve_2020_9771/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1006", - "name": "Direct Volume Access", - "reference": "https://attack.mitre.org/techniques/T1006/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b00bcd89-000c-4425-b94c-716ef67762f6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json new file mode 100644 index 000000000000..1c4eace3297f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "TCC Bypass via Mounted APFS Snapshot Access", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", + "references": [ + "https://theevilbit.github.io/posts/cve_2020_9771/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion", + "CVE_2020_9771" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b00bcd89-000c-4425-b94c-716ef67762f6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json new file mode 100644 index 000000000000..52dc2d0a0531 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "TCC Bypass via Mounted APFS Snapshot Access", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", + "references": [ + "https://theevilbit.github.io/posts/cve_2020_9771/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b00bcd89-000c-4425-b94c-716ef67762f6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json deleted file mode 100644 index cf8cd5edc0d1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", - "false_positives": [ - "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "high_count_network_events", - "name": "Spike in Network Traffic", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json new file mode 100644 index 000000000000..a4d41f144b52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_events", + "name": "Spike in Network Traffic", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json new file mode 100644 index 000000000000..b6edf6d2dc4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_events", + "name": "Spike in Network Traffic", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json deleted file mode 100644 index dbaaa841175e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", - "references": [ - "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - }, - { - "id": "T1219", - "name": "Remote Access Software", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json new file mode 100644 index 000000000000..7a08c0231978 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", + "references": [ + "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json new file mode 100644 index 000000000000..fa6458260f42 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", + "references": [ + "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json new file mode 100644 index 000000000000..677cb764bacd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", + "references": [ + "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json deleted file mode 100644 index a5bf7de4052e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", - "false_positives": [ - "Users or System Administrator cleaning out folders." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Unusual Volume of File Deletion", - "note": "", - "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "b2951150-658f-4a60-832f-a00d1e6c6745", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json new file mode 100644 index 000000000000..c6420a2b9aa6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json new file mode 100644 index 000000000000..7b3165471b95 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json deleted file mode 100644 index 5f9ace4c03e5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.001", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1218/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json new file mode 100644 index 000000000000..768f9f7ff2b2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Compiled HTML File", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json new file mode 100644 index 000000000000..71cf18e26b0b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json new file mode 100644 index 000000000000..8469a808bd9f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json deleted file mode 100644 index 495acc737fb2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", - "false_positives": [ - "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_anomalous_user_name" - ], - "name": "Unusual Linux Username", - "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "b347b919-665f-4aac-b9e8-68369bf2340c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json new file mode 100644 index 000000000000..ecc51d236222 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_user_name" + ], + "name": "Unusual Linux Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "b347b919-665f-4aac-b9e8-68369bf2340c_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json new file mode 100644 index 000000000000..9f74e30fd830 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", + "false_positives": [ + "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_anomalous_user_name" + ], + "name": "Unusual Linux Username", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "b347b919-665f-4aac-b9e8-68369bf2340c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json deleted file mode 100644 index d065e9afa0f5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Endpoint Security Parent Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json new file mode 100644 index 000000000000..2c8370e7365e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json new file mode 100644 index 000000000000..e9ca871699b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json deleted file mode 100644 index 9f9a5c49f8f1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Code Signing Policy Modification Through Built-in tools", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.006", - "name": "Code Signing Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1553/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json new file mode 100644 index 000000000000..f8ccc1b4208a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Built-in tools", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n /* Windows */\n ((process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")) or\n \n /* MacOS */\n (process.executable: \"/usr/bin/csrutil\" and process.args: \"disable\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "macOS", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json new file mode 100644 index 000000000000..d1daa6d63541 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Built-in tools", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json new file mode 100644 index 000000000000..9e84f8f3a93c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Built-in tools", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json deleted file mode 100644 index 9d2cc3b6f172..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Persistence via Atom Init Script Modification", - "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", - "references": [ - "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", - "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b4449455-f986-4b5a-82ed-e36b129331f7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json new file mode 100644 index 000000000000..20905ccf7d99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Atom Init Script Modification", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", + "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b4449455-f986-4b5a-82ed-e36b129331f7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json new file mode 100644 index 000000000000..3c9e76a0ae4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Atom Init Script Modification", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", + "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b4449455-f986-4b5a-82ed-e36b129331f7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json deleted file mode 100644 index ebd5f8e01e7d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", - "false_positives": [ - "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS STS GetSessionToken Abuse", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b45ab1d2-712f-4f01-a751-df3826969807", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json new file mode 100644 index 000000000000..a78914d0f478 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", + "false_positives": [ + "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS STS GetSessionToken Abuse", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b45ab1d2-712f-4f01-a751-df3826969807_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json new file mode 100644 index 000000000000..aa8a38e4db41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", + "false_positives": [ + "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS STS GetSessionToken Abuse", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b45ab1d2-712f-4f01-a751-df3826969807_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json deleted file mode 100644 index f3ef1277919a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Policy", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json new file mode 100644 index 000000000000..5ae2fc6406aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json new file mode 100644 index 000000000000..ae1bdc894093 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json deleted file mode 100644 index 575e8a558d9b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Clearing Windows Console History", - "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", - "references": [ - "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.003", - "name": "Clear Command History", - "reference": "https://attack.mitre.org/techniques/T1070/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "b5877334-677f-4fb9-86d5-a9721274223b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json new file mode 100644 index 000000000000..9168186d1cda --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Console History", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", + "references": [ + "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b5877334-677f-4fb9-86d5-a9721274223b_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json new file mode 100644 index 000000000000..51f3a575cd1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Console History", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", + "references": [ + "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "b5877334-677f-4fb9-86d5-a9721274223b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json deleted file mode 100644 index 72c6d285694e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json new file mode 100644 index 000000000000..7158d6f8238e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json new file mode 100644 index 000000000000..0beba236bfbb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json deleted file mode 100644 index 875f86491c36..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Elastic Agent Service Terminated", - "note": "", - "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json new file mode 100644 index 000000000000..902536dd4805 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Agent Service Terminated", + "note": "", + "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Windows", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json new file mode 100644 index 000000000000..8c78c8eacc59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Agent Service Terminated", + "note": "", + "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json new file mode 100644 index 000000000000..d9579f351173 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Agent Service Terminated", + "note": "", + "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json deleted file mode 100644 index 08faba58217a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Script Interpreter Executing Process via WMI", - "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "b64b183e-1a76-422d-9179-7b389513e74d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json new file mode 100644 index 000000000000..688896dbb8f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Interpreter Executing Process via WMI", + "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "b64b183e-1a76-422d-9179-7b389513e74d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json new file mode 100644 index 000000000000..3181953479ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Interpreter Executing Process via WMI", + "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "b64b183e-1a76-422d-9179-7b389513e74d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json deleted file mode 100644 index f183886a48d3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", - "false_positives": [ - "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Event Hub Authorization Rule Created or Updated", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json new file mode 100644 index 000000000000..50d6cb8788cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", + "false_positives": [ + "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Authorization Rule Created or Updated", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json new file mode 100644 index 000000000000..0d8cad42b7bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", + "false_positives": [ + "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Authorization Rule Created or Updated", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Log Auditing", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json deleted file mode 100644 index 7a14d06e4f7f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", - "false_positives": [ - "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Policy", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json new file mode 100644 index 000000000000..714378e68ed2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json new file mode 100644 index 000000000000..3ef80f7680f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json deleted file mode 100644 index 19016a487b91..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", - "false_positives": [ - "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Administrator Privileges Assigned to an Okta Group", - "note": "", - "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b8075894-0b62-46e5-977c-31275da34419", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "b8075894-0b62-46e5-977c-31275da34419", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json new file mode 100644 index 000000000000..2ed1862445a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Privileges Assigned to an Okta Group", + "note": "", + "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8075894-0b62-46e5-977c-31275da34419", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "b8075894-0b62-46e5-977c-31275da34419_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json new file mode 100644 index 000000000000..142fa19601f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Privileges Assigned to an Okta Group", + "note": "", + "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8075894-0b62-46e5-977c-31275da34419", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b8075894-0b62-46e5-977c-31275da34419_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json deleted file mode 100644 index e404af68edfb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Invoke-NinjaCopy script", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.002", - "name": "Security Account Manager", - "reference": "https://attack.mitre.org/techniques/T1003/002/" - }, - { - "id": "T1003.003", - "name": "NTDS", - "reference": "https://attack.mitre.org/techniques/T1003/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 3 - }, - "id": "b8386923-b02c-4b94-986a-d223d9b01f88", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json new file mode 100644 index 000000000000..4f38c5eb9d99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Invoke-NinjaCopy script", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "b8386923-b02c-4b94-986a-d223d9b01f88_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json new file mode 100644 index 000000000000..353bf0a6765d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Invoke-NinjaCopy script", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "b8386923-b02c-4b94-986a-d223d9b01f88_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json deleted file mode 100644 index b53da27dc670..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation or Modification of Domain Backup DPAPI private key", - "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", - "references": [ - "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", - "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.004", - "name": "Private Keys", - "reference": "https://attack.mitre.org/techniques/T1552/004/" - } - ] - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json new file mode 100644 index 000000000000..5200b1d6a5f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json new file mode 100644 index 000000000000..84c3f7627bab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json deleted file mode 100644 index 61dcf4acb0de..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via MsXsl", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json new file mode 100644 index 000000000000..8820d7b8eba5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via MsXsl", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json new file mode 100644 index 000000000000..d834aef2e1e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via MsXsl", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json deleted file mode 100644 index 005623c9a28e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", - "references": [ - "https://github.com/hfiref0x/UACME" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json new file mode 100644 index 000000000000..657ac999b2c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json new file mode 100644 index 000000000000..0ebc016a0bdb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json deleted file mode 100644 index aefdc7cd238e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Chkconfig Service Add", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", - "references": [ - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/", - "subtechnique": [ - { - "id": "T1037.004", - "name": "RC Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json new file mode 100644 index 000000000000..b7790e577fcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Lightning Framework", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json new file mode 100644 index 000000000000..7d2996a63efd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json new file mode 100644 index 000000000000..770d9985167c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json deleted file mode 100644 index 7eb9acec86d9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", - "false_positives": [ - "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." - ], - "from": "now-24h", - "index": [ - ".alerts-security.*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", - "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", - "required_fields": [ - { - "ecs": false, - "name": "kibana.alert.rule.threat.tactic.id", - "type": "unknown" - }, - { - "ecs": false, - "name": "signal.rule.name", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule" - ], - "threshold": { - "cardinality": [ - { - "field": "kibana.alert.rule.threat.tactic.id", - "value": 3 - } - ], - "field": [ - "host.id" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 4 - }, - "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json new file mode 100644 index 000000000000..423c4b8d3b30 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", + "false_positives": [ + "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + ], + "from": "now-24h", + "index": [ + ".alerts-security.*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", + "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", + "required_fields": [ + { + "ecs": false, + "name": "kibana.alert.rule.threat.tactic.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", + "severity": "high", + "tags": [ + "Elastic", + "Threat Detection", + "Higher-Order Rules" + ], + "threshold": { + "cardinality": [ + { + "field": "kibana.alert.rule.threat.tactic.id", + "value": 3 + } + ], + "field": [ + "host.id" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 3 + }, + "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json new file mode 100644 index 000000000000..29247c906b2f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", + "false_positives": [ + "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + ], + "from": "now-24h", + "index": [ + ".alerts-security.*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", + "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", + "required_fields": [ + { + "ecs": false, + "name": "kibana.alert.rule.threat.tactic.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "signal.rule.name", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule" + ], + "threshold": { + "cardinality": [ + { + "field": "kibana.alert.rule.threat.tactic.id", + "value": 3 + } + ], + "field": [ + "host.id" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 4 + }, + "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json deleted file mode 100644 index a5c409ccdc75..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Group Policy Abuse for Privilege Addition", - "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", - "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", - "references": [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://labs.f-secure.com/tools/sharpgpoabuse" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeLDAPDisplayName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.AttributeValue", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1484", - "name": "Domain Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/", - "subtechnique": [ - { - "id": "T1484.001", - "name": "Group Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1484/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json new file mode 100644 index 000000000000..72aaa467e66a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Group Policy Abuse for Privilege Addition", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", + "query": "host.os.type:windows and event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json new file mode 100644 index 000000000000..1587ba04841f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Group Policy Abuse for Privilege Addition", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", + "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json new file mode 100644 index 000000000000..aa78025620d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Group Policy Abuse for Privilege Addition", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", + "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json deleted file mode 100644 index 37f721f4304a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", - "false_positives": [ - "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Creation of Hidden Files and Directories via CommandLine", - "note": "", - "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.working_directory", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.001", - "name": "Hidden Files and Directories", - "reference": "https://attack.mitre.org/techniques/T1564/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json new file mode 100644 index 000000000000..1e8cf48dde8c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", + "false_positives": [ + "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Files and Directories via CommandLine", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json new file mode 100644 index 000000000000..6db7e11bf22f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", + "false_positives": [ + "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Files and Directories via CommandLine", + "note": "", + "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json deleted file mode 100644 index dd16005b26f9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SolarWinds Process Disabling Services via Registry", - "note": "", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "b9960fef-82c6-4816-befa-44745030e917", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json new file mode 100644 index 000000000000..33fa71f27e79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SolarWinds Process Disabling Services via Registry", + "note": "", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "b9960fef-82c6-4816-befa-44745030e917_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json new file mode 100644 index 000000000000..b166dc503e6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SolarWinds Process Disabling Services via Registry", + "note": "", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "b9960fef-82c6-4816-befa-44745030e917_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json deleted file mode 100644 index 3ec46edfe0df..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", - "false_positives": [ - "A newly installed program or one that rarely uses the network could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_anomalous_network_activity" - ], - "name": "Unusual Windows Network Activity", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json new file mode 100644 index 000000000000..67204a0b99b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_network_activity" + ], + "name": "Unusual Windows Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json new file mode 100644 index 000000000000..3acc0c373628 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", + "false_positives": [ + "A newly installed program or one that rarely uses the network could trigger this alert." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_anomalous_network_activity" + ], + "name": "Unusual Windows Network Activity", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json deleted file mode 100644 index 06c995cdc55d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Image Load (taskschd.dll) from MS Office", - "note": "", - "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json new file mode 100644 index 000000000000..1c050924777b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json new file mode 100644 index 000000000000..b71971142150 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "note": "", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json deleted file mode 100644 index 72a8b854a5de..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", - "false_positives": [ - "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Resource Group Deletion", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json new file mode 100644 index 000000000000..b365f9526df8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", + "false_positives": [ + "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Resource Group Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json new file mode 100644 index 000000000000..0363b5e4a49f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", + "false_positives": [ + "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Resource Group Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Log Auditing", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json deleted file mode 100644 index a0071bd2c958..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", - "false_positives": [ - "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Encryption Disabled", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1565", - "name": "Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/", - "subtechnique": [ - { - "id": "T1565.001", - "name": "Stored Data Manipulation", - "reference": "https://attack.mitre.org/techniques/T1565/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json new file mode 100644 index 000000000000..0b70d3fb95e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", + "false_positives": [ + "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Encryption Disabled", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Data Protection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json new file mode 100644 index 000000000000..e4dad4c0ef7c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", + "false_positives": [ + "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Encryption Disabled", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json deleted file mode 100644 index 3c4683d6097f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", - "false_positives": [ - "Benign files can trigger signatures in the built-in virus protection" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "OneDrive Malware File Upload", - "note": "", - "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1080", - "name": "Taint Shared Content", - "reference": "https://attack.mitre.org/techniques/T1080/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json new file mode 100644 index 000000000000..b2a7066b147f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json new file mode 100644 index 000000000000..cc9d040ded80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json deleted file mode 100644 index c1ce3ff9a84a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.network-*", - "logs-network_traffic.*", - "packetbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential SYN-Based Network Scan Detected", - "query": "destination.port :* and network.packets \u003c= 2\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "network.packets", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", - "severity": "medium", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.port", - "value": 10 - } - ], - "field": [ - "destination.ip", - "source.ip" - ], - "value": 1 - }, - "type": "threshold", - "version": 1 - }, - "id": "bbaa96b9-f36c-4898-ace2-581acb00a409", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json new file mode 100644 index 000000000000..6e03868fbb43 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-network_traffic.*", + "packetbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential SYN-Based Network Scan Detected", + "query": "destination.port :* and network.packets \u003c= 2\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "network.packets", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", + "severity": "medium", + "tags": [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "destination.port", + "value": 10 + } + ], + "field": [ + "destination.ip", + "source.ip" + ], + "value": 1 + }, + "type": "threshold", + "version": 1 + }, + "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json deleted file mode 100644 index a590a2a7fcda..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", - "false_positives": [ - "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "note": "", - "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Name", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.NewValue", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "bbd1a775-8267-41fa-9232-20e5582596ac", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json new file mode 100644 index 000000000000..cbf1778ec980 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json new file mode 100644 index 000000000000..0d497fae7588 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json deleted file mode 100644 index e4ade33baa89..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", - "false_positives": [ - "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Root Login Without MFA", - "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", - "type": "boolean" - }, - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json new file mode 100644 index 000000000000..60f36d07308b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", + "false_positives": [ + "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Root Login Without MFA", + "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json new file mode 100644 index 000000000000..ee9433813e5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", + "false_positives": [ + "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Root Login Without MFA", + "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json deleted file mode 100644 index bf0768e43085..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", - "false_positives": [ - "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Storage Bucket Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", - "references": [ - "https://cloud.google.com/storage/docs/key-terms#buckets" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json new file mode 100644 index 000000000000..9d00593330ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", + "false_positives": [ + "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json new file mode 100644 index 000000000000..e3a25a98b961 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", + "false_positives": [ + "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Storage Bucket Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", + "references": [ + "https://cloud.google.com/storage/docs/key-terms#buckets" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json deleted file mode 100644 index 56ba5747cf39..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", - "false_positives": [ - "Certain applications may install root certificates for the purpose of inspecting SSL traffic." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Install Root Certificate", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", - "references": [ - "https://ss64.com/osx/security-cert.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.004", - "name": "Install Root Certificate", - "reference": "https://attack.mitre.org/techniques/T1553/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "bc1eeacf-2972-434f-b782-3a532b100d67", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json new file mode 100644 index 000000000000..ec15e358c764 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Install Root Certificate", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", + "references": [ + "https://ss64.com/osx/security-cert.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bc1eeacf-2972-434f-b782-3a532b100d67_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json new file mode 100644 index 000000000000..65678dc18a1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Install Root Certificate", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", + "references": [ + "https://ss64.com/osx/security-cert.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bc1eeacf-2972-434f-b782-3a532b100d67_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json deleted file mode 100644 index 6a63a4912cc0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Conditional Access Policy Modified", - "note": "", - "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - }, - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json new file mode 100644 index 000000000000..5de77cf04723 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Conditional Access Policy Modified", + "note": "", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json new file mode 100644 index 000000000000..f7670fec21f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Conditional Access Policy Modified", + "note": "", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json deleted file mode 100644 index e65a3cef9702..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", - "false_positives": [ - "SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Non-Standard Port SSH connection", - "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", - "references": [ - "https://attack.mitre.org/techniques/T1571/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "OS: macOS" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1571", - "name": "Non-Standard Port", - "reference": "https://attack.mitre.org/techniques/T1571/" - } - ] - } - ], - "type": "eql", - "version": 3 - }, - "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json new file mode 100644 index 000000000000..bdf367651417 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", + "false_positives": [ + "SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Non-Standard Port SSH connection", + "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", + "references": [ + "https://attack.mitre.org/techniques/T1571/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control", + "macOS" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json new file mode 100644 index 000000000000..e74ec49ca799 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", + "false_positives": [ + "SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Non-Standard Port SSH connection", + "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", + "references": [ + "https://attack.mitre.org/techniques/T1571/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json deleted file mode 100644 index 97141d428af7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", - "false_positives": [ - "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Service Account Disabled", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/service-accounts" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json new file mode 100644 index 000000000000..298086c9f87a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Disabled", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json new file mode 100644 index 000000000000..4ad048b66421 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", + "false_positives": [ + "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Service Account Disabled", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/service-accounts" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json deleted file mode 100644 index f00b191656a4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Keylogging Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", - "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1056", - "name": "Input Capture", - "reference": "https://attack.mitre.org/techniques/T1056/", - "subtechnique": [ - { - "id": "T1056.001", - "name": "Keylogging", - "reference": "https://attack.mitre.org/techniques/T1056/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json new file mode 100644 index 000000000000..84c3f0a17e1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Keylogging Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", + "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Collection", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.001", + "name": "Keylogging", + "reference": "https://attack.mitre.org/techniques/T1056/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "bd2c86a0-8b61-4457-ab38-96943984e889_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json new file mode 100644 index 000000000000..9914103bdce1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Keylogging Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : ( \n Get-Keystrokes or GetAsyncKeyState or GetKeyboardState or NtUserGetAsyncKeyState or \n (\n NtUserSetWindowsHookEx or \n SetWindowsHookA or \n SetWindowsHookEx or \n SetWindowsHookExA or \n SetWindowsHookW\n ) and \n (\n GetForegroundWindow or \n GetWindowTextA or \n GetWindowTextW or \n WM_KEYBOARD_LL)\n ) \nand not user.id:S-1-5-18\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", + "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.001", + "name": "Keylogging", + "reference": "https://attack.mitre.org/techniques/T1056/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "bd2c86a0-8b61-4457-ab38-96943984e889_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json new file mode 100644 index 000000000000..13394c5474b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Keylogging Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", + "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.001", + "name": "Keylogging", + "reference": "https://attack.mitre.org/techniques/T1056/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "bd2c86a0-8b61-4457-ab38-96943984e889_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json deleted file mode 100644 index 36ca21f24d83..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Print Spooler Point and Print DLL", - "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", - "references": [ - "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", - "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "bd7eefee-f671-494e-98df-f01daf9e5f17", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json new file mode 100644 index 000000000000..554c56c0db62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler Point and Print DLL", + "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", + "references": [ + "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json new file mode 100644 index 000000000000..3d5556a92612 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler Point and Print DLL", + "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", + "references": [ + "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json deleted file mode 100644 index 93fd95581f7e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privileged Escalation via SamAccountName Spoofing", - "note": "", - "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", - "references": [ - "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/cube0x0/noPac", - "https://twitter.com/exploitph/status/1469157138928914432", - "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.NewTargetUserName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.OldTargetUserName", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json new file mode 100644 index 000000000000..d4630750c417 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privileged Escalation via SamAccountName Spoofing", + "note": "", + "query": "iam where host.os.type == \"windows\" and event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", + "references": [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.NewTargetUserName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OldTargetUserName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "bdcf646b-08d4-492c-870a-6c04e3700034_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json new file mode 100644 index 000000000000..8517ecf0b071 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privileged Escalation via SamAccountName Spoofing", + "note": "", + "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", + "references": [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.NewTargetUserName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OldTargetUserName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "bdcf646b-08d4-492c-870a-6c04e3700034_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json new file mode 100644 index 000000000000..90ec7cc68517 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privileged Escalation via SamAccountName Spoofing", + "note": "", + "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", + "references": [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.NewTargetUserName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OldTargetUserName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "bdcf646b-08d4-492c-870a-6c04e3700034_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json deleted file mode 100644 index be07023f6e1f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Searching for Saved Credentials via VaultCmd", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", - "references": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.004", - "name": "Windows Credential Manager", - "reference": "https://attack.mitre.org/techniques/T1555/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json new file mode 100644 index 000000000000..4cbbb98b1ab3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Searching for Saved Credentials via VaultCmd", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json new file mode 100644 index 000000000000..4beb9059d84d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Searching for Saved Credentials via VaultCmd", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json deleted file mode 100644 index 0a14a68bee64..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", - "false_positives": [ - "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Snapshot Restored", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", - "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1578", - "name": "Modify Cloud Compute Infrastructure", - "reference": "https://attack.mitre.org/techniques/T1578/", - "subtechnique": [ - { - "id": "T1578.004", - "name": "Revert Cloud Instance", - "reference": "https://attack.mitre.org/techniques/T1578/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json new file mode 100644 index 000000000000..9f83e1d74cc7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Restored", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.004", + "name": "Revert Cloud Instance", + "reference": "https://attack.mitre.org/techniques/T1578/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json new file mode 100644 index 000000000000..777e577dcaae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", + "false_positives": [ + "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Snapshot Restored", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.004", + "name": "Revert Cloud Instance", + "reference": "https://attack.mitre.org/techniques/T1578/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json deleted file mode 100644 index 96ffa67e24ad..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", - "references": [ - "https://itm4n.github.io/windows-dll-hijacking-clarified/", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", - "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", - "https://windows-internals.com/faxing-your-way-to-system/", - "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.code_signature.exists", - "type": "boolean" - }, - { - "ecs": true, - "name": "dll.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.hash.sha256", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.002", - "name": "DLL Side-Loading", - "reference": "https://attack.mitre.org/techniques/T1574/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.001", - "name": "DLL Search Order Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json new file mode 100644 index 000000000000..229ea0f3e116 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and not file.code_signature.status == \"Valid\")\n )\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json new file mode 100644 index 000000000000..0304b6edb0cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and not file.code_signature.status == \"Valid\")\n )\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json new file mode 100644 index 000000000000..ecc2a890b2e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json deleted file mode 100644 index b71ad54972bb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", - "references": [ - "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json new file mode 100644 index 000000000000..9be590bfe149 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json new file mode 100644 index 000000000000..20957d8ba077 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json deleted file mode 100644 index 9c3a5779cab8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation or Modification of a new GPO Scheduled Task or Service", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.005", - "name": "Scheduled Task", - "reference": "https://attack.mitre.org/techniques/T1053/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json new file mode 100644 index 000000000000..ae916399c13d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json new file mode 100644 index 000000000000..1e09612705be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json deleted file mode 100644 index df45249aec44..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Manipulation - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json new file mode 100644 index 000000000000..597284a9ebfe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "c0be5f31-e180-48ed-aa08-96b36899d48f_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json new file mode 100644 index 000000000000..ab77779aeeb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "c0be5f31-e180-48ed-aa08-96b36899d48f_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json deleted file mode 100644 index 9b59a4f49c88..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Renaming of ESXI index.html File", - "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", - "references": [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.original.path", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.003", - "name": "Rename System Utilities", - "reference": "https://attack.mitre.org/techniques/T1036/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "c125e48f-6783-41f0-b100-c3bf1b114d16", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json new file mode 100644 index 000000000000..97b15dace99a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI index.html File", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json new file mode 100644 index 000000000000..24381df97039 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI index.html File", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json deleted file mode 100644 index 576211d3232d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", - "false_positives": [ - "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 Full Network Packet Capture Detected", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", - "https://github.com/easttimor/aws-incident-response" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Exfiltration", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1020", - "name": "Automated Exfiltration", - "reference": "https://attack.mitre.org/techniques/T1020/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1074", - "name": "Data Staged", - "reference": "https://attack.mitre.org/techniques/T1074/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "c1812764-0788-470f-8e74-eb4a14d47573", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json new file mode 100644 index 000000000000..07518a6398d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Full Network Packet Capture Detected", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", + "https://github.com/easttimor/aws-incident-response" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1020", + "name": "Automated Exfiltration", + "reference": "https://attack.mitre.org/techniques/T1020/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "c1812764-0788-470f-8e74-eb4a14d47573_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json new file mode 100644 index 000000000000..146d0f8e8bcb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", + "false_positives": [ + "Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 Full Network Packet Capture Detected", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", + "https://github.com/easttimor/aws-incident-response" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Exfiltration", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1020", + "name": "Automated Exfiltration", + "reference": "https://attack.mitre.org/techniques/T1020/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "c1812764-0788-470f-8e74-eb4a14d47573_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json deleted file mode 100644 index 8242c41b3e15..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "Microsoft IIS Connection Strings Decryption", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", - "references": [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json new file mode 100644 index 000000000000..59a09ad5ff82 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Connection Strings Decryption", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json new file mode 100644 index 000000000000..b6a25e6f0b43 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Connection Strings Decryption", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json deleted file mode 100644 index ebbedc95f7eb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 25, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_network_connection_discovery" - ], - "name": "Unusual Linux Network Connection Discovery", - "risk_score": 21, - "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1049", - "name": "System Network Connections Discovery", - "reference": "https://attack.mitre.org/techniques/T1049/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json new file mode 100644 index 000000000000..0bd521c02c78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_connection_discovery" + ], + "name": "Unusual Linux Network Connection Discovery", + "risk_score": 21, + "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json new file mode 100644 index 000000000000..14402323384c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_connection_discovery" + ], + "name": "Unusual Linux Network Connection Discovery", + "risk_score": 21, + "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json deleted file mode 100644 index a96c5a26e142..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Folder Action Script", - "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", - "references": [ - "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1037", - "name": "Boot or Logon Initialization Scripts", - "reference": "https://attack.mitre.org/techniques/T1037/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "c292fa52-4115-408a-b897-e14f684b3cb7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json new file mode 100644 index 000000000000..5a4ac0867337 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Folder Action Script", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", + "references": [ + "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "c292fa52-4115-408a-b897-e14f684b3cb7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json new file mode 100644 index 000000000000..dd881405ea3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Folder Action Script", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", + "references": [ + "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c292fa52-4115-408a-b897-e14f684b3cb7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json deleted file mode 100644 index d20192a93d68..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", - "from": "now-20m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Mshta Making Network Connections", - "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.005", - "name": "Mshta", - "reference": "https://attack.mitre.org/techniques/T1218/005/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "c2d90150-0133-451c-a783-533e736c12d7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json new file mode 100644 index 000000000000..65d268c2321e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-20m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mshta Making Network Connections", + "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c2d90150-0133-451c-a783-533e736c12d7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json new file mode 100644 index 000000000000..b695d4c62d6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-20m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mshta Making Network Connections", + "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "c2d90150-0133-451c-a783-533e736c12d7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json deleted file mode 100644 index 8ce9f76eec52..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Permission Theft - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json new file mode 100644 index 000000000000..e59fa1b801c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json new file mode 100644 index 000000000000..7e89d20e9d58 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json deleted file mode 100644 index 00c3cab2576e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via BITS Job Notify Cmdline", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", - "references": [ - "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", - "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1197", - "name": "BITS Jobs", - "reference": "https://attack.mitre.org/techniques/T1197/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json new file mode 100644 index 000000000000..8cbe4e599a12 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json new file mode 100644 index 000000000000..7d3add39f533 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json deleted file mode 100644 index 781a1f1bc70b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential JAVA/JNDI Exploitation Attempt", - "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", - "references": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/christophetd/log4shell-vulnerable-app", - "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", - "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", - "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.007", - "name": "JavaScript", - "reference": "https://attack.mitre.org/techniques/T1059/007/" - } - ] - }, - { - "id": "T1203", - "name": "Exploitation for Client Execution", - "reference": "https://attack.mitre.org/techniques/T1203/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json new file mode 100644 index 000000000000..fa272229e09c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential JAVA/JNDI Exploitation Attempt", + "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", + "references": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + }, + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json new file mode 100644 index 000000000000..a5ff997c3279 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential JAVA/JNDI Exploitation Attempt", + "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", + "references": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + }, + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json deleted file mode 100644 index a59f0ad461ad..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Mounting Hidden or WebDav Remote Shares", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1087/001/" - }, - { - "id": "T1087.002", - "name": "Domain Account", - "reference": "https://attack.mitre.org/techniques/T1087/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json new file mode 100644 index 000000000000..ac7a148a9dac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mounting Hidden or WebDav Remote Shares", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json new file mode 100644 index 000000000000..bd2a6e273870 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mounting Hidden or WebDav Remote Shares", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json deleted file mode 100644 index b9e9787bcb63..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", - "false_positives": [ - "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Print Spooler File Deletion", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", - "references": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json new file mode 100644 index 000000000000..bbea1f7c254b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", + "false_positives": [ + "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler File Deletion", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json new file mode 100644 index 000000000000..8ee83c7e03af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", + "false_positives": [ + "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler File Deletion", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json deleted file mode 100644 index a9e97d95f6e1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Desktop Shadowing Activity", - "note": "", - "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", - "references": [ - "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", - "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json new file mode 100644 index 000000000000..6ddcae0a26b5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Shadowing Activity", + "note": "", + "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", + "references": [ + "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", + "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "c57f8579-e2a5-4804-847f-f2732edc5156_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json new file mode 100644 index 000000000000..a5c52f6a3512 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Shadowing Activity", + "note": "", + "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", + "references": [ + "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", + "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c57f8579-e2a5-4804-847f-f2732edc5156_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json deleted file mode 100644 index 1e55a38ae824..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", - "false_positives": [ - "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Network Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", - "references": [ - "https://cloud.google.com/vpc/docs/vpc" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json new file mode 100644 index 000000000000..35b52dcf0210 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", + "false_positives": [ + "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Network Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/vpc" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json new file mode 100644 index 000000000000..5a0d47985d41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", + "false_positives": [ + "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Network Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/vpc" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json deleted file mode 100644 index 35c4fe830120..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Credential Access via Renamed COM+ Services DLL", - "note": "", - "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", - "references": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.pe.imphash", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", - "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon Only" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json new file mode 100644 index 000000000000..3beab5b3bd07 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Renamed COM+ Services DLL", + "note": "", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", + "references": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", + "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json new file mode 100644 index 000000000000..d445d4d89a89 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Renamed COM+ Services DLL", + "note": "", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", + "references": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", + "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon Only" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json deleted file mode 100644 index 96f70fee2284..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Installation of Custom Shim Databases", - "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json new file mode 100644 index 000000000000..be1ecd49c501 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Custom Shim Databases", + "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json new file mode 100644 index 000000000000..9624e5eb3079 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Custom Shim Databases", + "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json deleted file mode 100644 index d3db83d81095..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", - "false_positives": [ - "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Build Engine Started by an Office Application", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", - "references": [ - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1127", - "name": "Trusted Developer Utilities Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1127/", - "subtechnique": [ - { - "id": "T1127.001", - "name": "MSBuild", - "reference": "https://attack.mitre.org/techniques/T1127/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json new file mode 100644 index 000000000000..a7dc98ffc180 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by an Office Application", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json new file mode 100644 index 000000000000..20c35ae6dcbb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by an Office Application", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json deleted file mode 100644 index a0e4a3704d3c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.", - "false_positives": [ - "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-cyberarkpas.audit*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "CyberArk Privileged Access Security Recommended Monitor", - "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", - "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", - "references": [ - "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring" - ], - "related_integrations": [ - { - "package": "cyberarkpas", - "version": "^2.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", - "rule_name_override": "event.action", - "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json new file mode 100644 index 000000000000..7d3d40b2cf74 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-cyberarkpas.audit*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "CyberArk Privileged Access Security Recommended Monitor", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", + "references": [ + "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring" + ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "^2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", + "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "cyberarkpas", + "SecOps", + "Log Auditing", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json new file mode 100644 index 000000000000..229300fa40f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any event.code which should not trigger this rule." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-cyberarkpas.audit*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "CyberArk Privileged Access Security Recommended Monitor", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", + "references": [ + "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring" + ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "^2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", + "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json deleted file mode 100644 index 4b93c23da595..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", - "references": [ - "https://twitter.com/mohammadaskar2/status/1301263551638761477", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json new file mode 100644 index 000000000000..9d62d3cc01b9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json new file mode 100644 index 000000000000..f495e19b3bc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json new file mode 100644 index 000000000000..71679804a8c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json deleted file mode 100644 index 8b4ae53732a5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Network Zone", - "note": "", - "query": "event.dataset:okta.system and event.action:zone.delete\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "c749e367-a069-4a73-b1f2-43a3798153ad", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json new file mode 100644 index 000000000000..5bfeed2cf269 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:zone.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "c749e367-a069-4a73-b1f2-43a3798153ad_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json new file mode 100644 index 000000000000..ff2decf1f3c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:zone.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "c749e367-a069-4a73-b1f2-43a3798153ad_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json deleted file mode 100644 index 4c002d04b3c6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Application", - "note": "", - "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json new file mode 100644 index 000000000000..39a6e6029cf2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json new file mode 100644 index 000000000000..30fd487afea4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json deleted file mode 100644 index 10f47bc4b02e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Network Connection via DllHost", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "c7894234-7814-44c2-92a9-f7d851ea246a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json new file mode 100644 index 000000000000..521c272f8636 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via DllHost", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c7894234-7814-44c2-92a9-f7d851ea246a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json new file mode 100644 index 000000000000..0dd62cb279bd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via DllHost", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "c7894234-7814-44c2-92a9-f7d851ea246a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json deleted file mode 100644 index 19adf61cb438..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", - "false_positives": [ - "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Privileged Pod Created", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", - "references": [ - "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", - "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json new file mode 100644 index 000000000000..8471af114eb3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "false_positives": [ + "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Privileged Pod Created", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json new file mode 100644 index 000000000000..7e9a296dbc22 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "false_positives": [ + "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Privileged Pod Created", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json deleted file mode 100644 index e2bdad5bd324..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual File Modification by dns.exe", - "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", - "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", - "references": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json new file mode 100644 index 000000000000..51195b5b4198 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Modification by dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", + "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json new file mode 100644 index 000000000000..9c2392a80f37 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Modification by dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", + "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json deleted file mode 100644 index c0577774fc08..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", - "false_positives": [ - "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "high_count_by_destination_country", - "name": "Spike in Network Traffic To a Country", - "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 103 - }, - "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json new file mode 100644 index 000000000000..d812a37311a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_by_destination_country", + "name": "Spike in Network Traffic To a Country", + "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json new file mode 100644 index 000000000000..75458d24b90d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", + "false_positives": [ + "Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_by_destination_country", + "name": "Spike in Network Traffic To a Country", + "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 103 + }, + "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json deleted file mode 100644 index e022a0b08846..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Persistence via Docker Shortcut Modification", - "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", - "references": [ - "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "c81cefcb-82b9-4408-a533-3c3df549e62d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json new file mode 100644 index 000000000000..280109c86f81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via Docker Shortcut Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json new file mode 100644 index 000000000000..ee715fa984d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via Docker Shortcut Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json deleted file mode 100644 index 2d81776ce4a9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMB (Windows File Sharing) Activity to the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json new file mode 100644 index 000000000000..a4513f90b2a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Initial Access", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json new file mode 100644 index 000000000000..5adb1513954d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMB (Windows File Sharing) Activity to the Internet", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 73, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json deleted file mode 100644 index da7d13b099dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json new file mode 100644 index 000000000000..a6a8139a3858 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Direct Outbound SMB Connection", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json new file mode 100644 index 000000000000..1541ab38b459 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Direct Outbound SMB Connection", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json new file mode 100644 index 000000000000..a42f63f4b5de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Direct Outbound SMB Connection", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json deleted file mode 100644 index 109a91fb1acd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", - "false_positives": [ - "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Virtual Machine Fingerprinting via Grep", - "note": "", - "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", - "references": [ - "https://objective-see.com/blog/blog_0x4F.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 102 - }, - "id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json new file mode 100644 index 000000000000..6080d4808e3c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting via Grep", + "note": "", + "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", + "references": [ + "https://objective-see.com/blog/blog_0x4F.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 101 + }, + "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json new file mode 100644 index 000000000000..d198eb740185 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting via Grep", + "note": "", + "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", + "references": [ + "https://objective-see.com/blog/blog_0x4F.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json deleted file mode 100644 index f011fc81a7e6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", - "references": [ - "https://blog.didierstevens.com/2017/03/20/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.code_signature.exists", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.parent.Ext.real.pid", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/", - "subtechnique": [ - { - "id": "T1134.004", - "name": "Parent PID Spoofing", - "reference": "https://attack.mitre.org/techniques/T1134/004/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json new file mode 100644 index 000000000000..4fbf1e964679 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "references": [ + "https://blog.didierstevens.com/2017/03/20/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json new file mode 100644 index 000000000000..cb3b6192e409 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "references": [ + "https://blog.didierstevens.com/2017/03/20/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json deleted file mode 100644 index 6e1b5a4903ba..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Linux Ransomware Note Creation Detected", - "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"txt\" and \n file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \n \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n ) ] | tail 1\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1486", - "name": "Data Encrypted for Impact", - "reference": "https://attack.mitre.org/techniques/T1486/" - } - ] - } - ], - "type": "eql", - "version": 3 - }, - "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json new file mode 100644 index 000000000000..29c554456db3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. Generally, a ransomware note with contact details is dropped onto the file system which can be used by the victim to contact the attacker. This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Ransomware Note Creation Detected", + "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and \n file.extension == \"txt\" and file.name : (\n \"*crypt*\", \n \"*restore*\", \n \"*lock*\", \n \"*recovery*\", \n \"*data*\",\n \"*read*\", \n \"*instruction*\", \n \"*how_to*\", \n \"*ransom*\"\n ) ] | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json new file mode 100644 index 000000000000..1c5d4f316115 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. Generally, a ransomware note with contact details is dropped onto the file system which can be used by the victim to contact the attacker. This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Ransomware Note Creation Detected", + "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and \n file.extension == \"txt\" and file.name : (\n \"*crypt*\", \n \"*restore*\", \n \"*lock*\", \n \"*recovery*\", \n \"*data*\",\n \"*read*\", \n \"*instruction*\", \n \"*how_to*\", \n \"*ransom*\"\n ) ] | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json new file mode 100644 index 000000000000..da77435ed9cc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Ransomware Note Creation Detected", + "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"txt\" and \n file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \n \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n ) ] | tail 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json deleted file mode 100644 index 5c7f035d86ff..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "c8b150f0-0164-475b-a75e-74b47800a9ff", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json new file mode 100644 index 000000000000..15bfc9d17b76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json new file mode 100644 index 000000000000..90889b85a277 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json new file mode 100644 index 000000000000..de10640d26e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json deleted file mode 100644 index 52606c4c2946..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", - "false_positives": [ - "Planned Windows Defender configuration changes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Disabling Windows Defender Security Settings via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json new file mode 100644 index 000000000000..0508e938bcaf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", + "false_positives": [ + "Planned Windows Defender configuration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling Windows Defender Security Settings via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json new file mode 100644 index 000000000000..28ed06fc1711 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", + "false_positives": [ + "Planned Windows Defender configuration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling Windows Defender Security Settings via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json deleted file mode 100644 index d6533f0b5361..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Manipulation - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1134", - "name": "Access Token Manipulation", - "reference": "https://attack.mitre.org/techniques/T1134/" - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json new file mode 100644 index 000000000000..82d989ccfd8b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json new file mode 100644 index 000000000000..3c833ec39afc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json deleted file mode 100644 index d95d22d72fdc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", - "false_positives": [ - "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json new file mode 100644 index 000000000000..33aaf8a9c06c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json new file mode 100644 index 000000000000..5b9f0a9ea42c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json deleted file mode 100644 index 1e82ed813553..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "note": "", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "dll.Ext.relative_file_creation_time", - "type": "unknown" - }, - { - "ecs": false, - "name": "dll.Ext.relative_file_name_modify_time", - "type": "unknown" - }, - { - "ecs": true, - "name": "dll.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.002", - "name": "DLL Side-Loading", - "reference": "https://attack.mitre.org/techniques/T1574/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json new file mode 100644 index 000000000000..9bcb9d251c74 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "note": "", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "dll.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json new file mode 100644 index 000000000000..52e3a4214663 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "note": "", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "dll.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json deleted file mode 100644 index c30705006a70..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", - "false_positives": [ - "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." - ], - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Abnormal Process ID or Lock File Created", - "new_terms_fields": [ - "process.executable", - "file.path" - ], - "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : (\"creation\" or \"file_create_event\") and\nuser.id : \"0\" and file.path : (/var/run/* or /run/*) and file.extension : (\"pid\" or \"lock\" or \"reboot\") and not \nfile.name : (\"auditd.pid\" or \"python*\" or \"apport.pid\" or \"apport.lock\" or \"kworker*\" or \"gdm3.pid\" or \"sshd.pid\" or \n\"acpid.pid\" or \"unattended-upgrades.lock\" or \"unattended-upgrades.pid\" or \"cmd.pid\" or \"yum.pid\" or \"netconfig.pid\" or \n\"docker.pid\" or \"atd.pid\" or \"lfd.pid\" or \"atop.pid\" or \"nginx.pid\" or \"dhclient.pid\" or \"smtpd.pid\" or \"stunnel.pid\" or \n\"1_waagent.pid\" or \"crond.pid\" or \"cron.reboot\" or \"sssd.pid\" or \"tomcat8.pid\")\n", - "references": [ - "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 207 - }, - "id": "cac91072-d165-11ec-a764-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json new file mode 100644 index 000000000000..c63b39e7c4ee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Abnormal Process ID or Lock File Created", + "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "BPFDoor", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "cac91072-d165-11ec-a764-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json new file mode 100644 index 000000000000..7d9a1063b3f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Abnormal Process ID or Lock File Created", + "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"(/var/run|/run)/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "BPFDoor", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "cac91072-d165-11ec-a764-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json new file mode 100644 index 000000000000..63c3a0323564 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Abnormal Process ID or Lock File Created", + "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"(/var/run|/run)/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "cac91072-d165-11ec-a764-f661ea17fbce_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json new file mode 100644 index 000000000000..039e5d7fbb41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormal Process ID or Lock File Created", + "new_terms_fields": [ + "process.executable", + "file.path" + ], + "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : (\"creation\" or \"file_create_event\") and\nuser.id : \"0\" and file.path : (/var/run/* or /run/*) and file.extension : (\"pid\" or \"lock\" or \"reboot\") and not \nfile.name : (\"auditd.pid\" or \"python*\" or \"apport.pid\" or \"apport.lock\" or \"kworker*\" or \"gdm3.pid\" or \"sshd.pid\" or \n\"acpid.pid\" or \"unattended-upgrades.lock\" or \"unattended-upgrades.pid\" or \"cmd.pid\" or \"yum.pid\" or \"netconfig.pid\" or \n\"docker.pid\" or \"atd.pid\" or \"lfd.pid\" or \"atop.pid\" or \"nginx.pid\" or \"dhclient.pid\" or \"smtpd.pid\" or \"stunnel.pid\" or \n\"1_waagent.pid\" or \"crond.pid\" or \"cron.reboot\" or \"sssd.pid\" or \"tomcat8.pid\")\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 207 + }, + "id": "cac91072-d165-11ec-a764-f661ea17fbce_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json deleted file mode 100644 index 9092f8684fb6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace MFA Enforcement Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en#" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 207 - }, - "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json new file mode 100644 index 000000000000..e8f89ffe7cca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace MFA Enforcement Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impact", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json new file mode 100644 index 000000000000..a0b4b5196b2e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace MFA Enforcement Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 207 + }, + "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json deleted file mode 100644 index 16e7c3e0e211..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", - "false_positives": [ - "Trusted applications for managing calendars and reminders." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Calendar File Modification", - "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", - "references": [ - "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", - "https://github.com/FSecureLABS/CalendarPersist", - "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json new file mode 100644 index 000000000000..6922d8db855e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", + "false_positives": [ + "Trusted applications for managing calendars and reminders." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Calendar File Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", + "references": [ + "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", + "https://github.com/FSecureLABS/CalendarPersist", + "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json new file mode 100644 index 000000000000..81a75fde7ac1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", + "false_positives": [ + "Trusted applications for managing calendars and reminders." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Calendar File Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", + "references": [ + "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", + "https://github.com/FSecureLABS/CalendarPersist", + "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json deleted file mode 100644 index 5f8f1376b800..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Enable the Root Account", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", - "references": [ - "https://ss64.com/osx/dsenableroot.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json new file mode 100644 index 000000000000..6ff8a47280ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Enable the Root Account", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", + "references": [ + "https://ss64.com/osx/dsenableroot.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json new file mode 100644 index 000000000000..823f4191a1aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Enable the Root Account", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", + "references": [ + "https://ss64.com/osx/dsenableroot.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json deleted file mode 100644 index 12c3c0638052..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", - "false_positives": [ - "Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace User Organizational Unit Changed", - "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.event.type", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.003", - "name": "Additional Cloud Roles", - "reference": "https://attack.mitre.org/techniques/T1098/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json new file mode 100644 index 000000000000..f8f525f997ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", + "false_positives": [ + "Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace User Organizational Unit Changed", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json new file mode 100644 index 000000000000..ad798ab0a041 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", + "false_positives": [ + "Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace User Organizational Unit Changed", + "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json new file mode 100644 index 000000000000..df28ea06795b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", + "false_positives": [ + "Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace User Organizational Unit Changed", + "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.event.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json deleted file mode 100644 index a8984afe79d4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", - "false_positives": [ - "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Subscription Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json new file mode 100644 index 000000000000..d74e0c7dcec2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json new file mode 100644 index 000000000000..e469a647113c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json deleted file mode 100644 index e001835e60c6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Policy Rule", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cc92c835-da92-45c9-9f29-b4992ad621a0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json new file mode 100644 index 000000000000..744e8f6764fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json new file mode 100644 index 000000000000..a723cd45792c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json deleted file mode 100644 index 53ad0940f7b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Process Herpaderping Attempt", - "query": "sequence with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and not process.parent.executable :\n (\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*.exe\"\n )\n ] by host.id, process.executable, process.parent.entity_id\n [file where host.os.type == \"windows\" and event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", - "references": [ - "https://github.com/jxy-s/herpaderping" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/" - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json new file mode 100644 index 000000000000..c4a6c6696519 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Process Herpaderping Attempt", + "query": "sequence with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and not process.parent.executable :\n (\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*.exe\"\n )\n ] by host.id, process.executable, process.parent.entity_id\n [file where host.os.type == \"windows\" and event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", + "references": [ + "https://github.com/jxy-s/herpaderping" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "ccc55af4-9882-4c67-87b4-449a7ae8079c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json new file mode 100644 index 000000000000..1de721bc67e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Process Herpaderping Attempt", + "query": "sequence with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and not process.parent.executable :\n (\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*.exe\"\n )\n ] by host.id, process.executable, process.parent.entity_id\n [file where host.os.type == \"windows\" and event.type == \"change\" and event.action == \"overwrite\" and file.extension == \"exe\"] by host.id, file.path, process.entity_id\n", + "references": [ + "https://github.com/jxy-s/herpaderping" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "ccc55af4-9882-4c67-87b4-449a7ae8079c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json deleted file mode 100644 index c8bc98f69dea..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification or Removal of an Okta Application Sign-On Policy", - "note": "", - "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cd16fb10-0261-46e8-9932-a0336278cdbe", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json new file mode 100644 index 000000000000..5acf563faf86 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification or Removal of an Okta Application Sign-On Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json new file mode 100644 index 000000000000..e6e2f741929b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification or Removal of an Okta Application Sign-On Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json deleted file mode 100644 index 32090626ed27..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", - "false_positives": [ - "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_rare_user_compiler" - ], - "name": "Anomalous Linux Compiler Activity", - "risk_score": 21, - "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Resource Development" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0042", - "name": "Resource Development", - "reference": "https://attack.mitre.org/tactics/TA0042/" - }, - "technique": [ - { - "id": "T1588", - "name": "Obtain Capabilities", - "reference": "https://attack.mitre.org/techniques/T1588/", - "subtechnique": [ - { - "id": "T1588.001", - "name": "Malware", - "reference": "https://attack.mitre.org/techniques/T1588/001/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json new file mode 100644 index 000000000000..d1c5f525db27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", + "false_positives": [ + "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_user_compiler" + ], + "name": "Anomalous Linux Compiler Activity", + "risk_score": 21, + "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Resource Development" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0042", + "name": "Resource Development", + "reference": "https://attack.mitre.org/tactics/TA0042/" + }, + "technique": [ + { + "id": "T1588", + "name": "Obtain Capabilities", + "reference": "https://attack.mitre.org/techniques/T1588/", + "subtechnique": [ + { + "id": "T1588.001", + "name": "Malware", + "reference": "https://attack.mitre.org/techniques/T1588/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json new file mode 100644 index 000000000000..d0a76f106376 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", + "false_positives": [ + "Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_rare_user_compiler" + ], + "name": "Anomalous Linux Compiler Activity", + "risk_score": 21, + "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Resource Development" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0042", + "name": "Resource Development", + "reference": "https://attack.mitre.org/tactics/TA0042/" + }, + "technique": [ + { + "id": "T1588", + "name": "Obtain Capabilities", + "reference": "https://attack.mitre.org/techniques/T1588/", + "subtechnique": [ + { + "id": "T1588.001", + "name": "Malware", + "reference": "https://attack.mitre.org/techniques/T1588/001/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json deleted file mode 100644 index e8d93c04c5bb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", - "false_positives": [ - "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Kernel Module Removal", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\"))\n", - "references": [ - "http://man7.org/linux/man-pages/man8/modprobe.8.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.006", - "name": "Kernel Modules and Extensions", - "reference": "https://attack.mitre.org/techniques/T1547/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json new file mode 100644 index 000000000000..fa9db2018915 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kernel Module Removal", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json new file mode 100644 index 000000000000..9ab394e13fb5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Removal", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\"))\n", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json deleted file mode 100644 index 428eb1c16e6c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", - "false_positives": [ - "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate MFA for an Okta User Account", - "note": "", - "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json new file mode 100644 index 000000000000..2a7c059b5a3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", + "false_positives": [ + "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate MFA for an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json new file mode 100644 index 000000000000..1e845277b6e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", + "false_positives": [ + "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate MFA for an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json deleted file mode 100644 index 3cc4a9d5a858..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "interval": "15m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Okta User Session Impersonation", - "note": "", - "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", - "references": [ - "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json new file mode 100644 index 000000000000..d6005bda1a1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json @@ -0,0 +1,70 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta User Session Impersonation", + "note": "", + "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json new file mode 100644 index 000000000000..e32d125263f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta User Session Impersonation", + "note": "", + "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json deleted file mode 100644 index e8345b3bf00e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential PowerShell HackTool Script by Function Names", - "note": "", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", - "references": [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", - "https://github.com/BC-SECURITY/Empire" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 - }, - "id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json new file mode 100644 index 000000000000..336dcc00f23e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json new file mode 100644 index 000000000000..6ad1ba832fd6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json new file mode 100644 index 000000000000..e87eb673081d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json deleted file mode 100644 index b4016602e847..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", - "false_positives": [ - "Legitimate exchange system administration activity." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", - "references": [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.002", - "name": "Additional Email Delegate Permissions", - "reference": "https://attack.mitre.org/techniques/T1098/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json new file mode 100644 index 000000000000..74b635f2495b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json new file mode 100644 index 000000000000..c6cb87e4819d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json deleted file mode 100644 index aad199cd73a2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", - "false_positives": [ - "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "lucene", - "license": "Elastic License v2", - "name": "Cobalt Strike Command and Control Beacon", - "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", - "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", - "references": [ - "https://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" - ], - "related_integrations": [], - "risk_score": 73, - "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - }, - { - "id": "T1568", - "name": "Dynamic Resolution", - "reference": "https://attack.mitre.org/techniques/T1568/", - "subtechnique": [ - { - "id": "T1568.002", - "name": "Domain Generation Algorithms", - "reference": "https://attack.mitre.org/techniques/T1568/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json new file mode 100644 index 000000000000..70b2336ae4dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Cobalt Strike Command and Control Beacon", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", + "references": [ + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", + "severity": "high", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json new file mode 100644 index 000000000000..490da43ce68e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", + "false_positives": [ + "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Cobalt Strike Command and Control Beacon", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", + "references": [ + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json deleted file mode 100644 index 22597715fc82..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", - "false_positives": [ - "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Domain Added to Google Workspace Trusted Domains", - "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", - "references": [ - "https://support.google.com/a/answer/6160020?hl=en" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json new file mode 100644 index 000000000000..efb2eede579b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json new file mode 100644 index 000000000000..c941eb8cb76f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json new file mode 100644 index 000000000000..e5216dbe66c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json deleted file mode 100644 index b510cb024788..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.003", - "name": "Windows Command Shell", - "reference": "https://attack.mitre.org/techniques/T1059/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.005", - "name": "Match Legitimate Name or Location", - "reference": "https://attack.mitre.org/techniques/T1036/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 107 - }, - "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json new file mode 100644 index 000000000000..cb61ea7f42fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json new file mode 100644 index 000000000000..1b421122e4ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json new file mode 100644 index 000000000000..64f64fbe14c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json deleted file mode 100644 index bc681cb8f84b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Namespace Manipulation Using Unshare", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", - "references": [ - "https://man7.org/linux/man-pages/man1/unshare.1.html", - "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "d00f33e7-b57d-4023-9952-2db91b1767c4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json new file mode 100644 index 000000000000..533bbb0aba69 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Namespace Manipulation Using Unshare", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", + "references": [ + "https://man7.org/linux/man-pages/man1/unshare.1.html", + "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json new file mode 100644 index 000000000000..3920fd00fcd0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Namespace Manipulation Using Unshare", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", + "references": [ + "https://man7.org/linux/man-pages/man1/unshare.1.html", + "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json deleted file mode 100644 index cba820575667..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.010", - "name": "AppInit DLLs", - "reference": "https://attack.mitre.org/techniques/T1546/010/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json new file mode 100644 index 000000000000..12dcbb349677 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - $osquery_0\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_1\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_2\n - $osquery_3\n - $osquery_4\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json new file mode 100644 index 000000000000..50f7963c98d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json new file mode 100644 index 000000000000..ac950555abe6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json deleted file mode 100644 index 14bf0819a7df..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", - "false_positives": [ - "Legitimate administrative activity related to shadow copies." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", - "references": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", - "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", - "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", - "https://www.hackingarticles.in/credential-dumping-ntds-dit/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json new file mode 100644 index 000000000000..52f681fd7491 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", + "false_positives": [ + "Legitimate administrative activity related to shadow copies." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Symbolic Link to Shadow Copy Created", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json new file mode 100644 index 000000000000..4eca3c1dd88d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", + "false_positives": [ + "Legitimate administrative activity related to shadow copies." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Symbolic Link to Shadow Copy Created", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json deleted file mode 100644 index bc5845eb0131..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Microsoft Office Sandbox Evasion", - "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", - "references": [ - "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", - "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", - "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1497", - "name": "Virtualization/Sandbox Evasion", - "reference": "https://attack.mitre.org/techniques/T1497/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json new file mode 100644 index 000000000000..aa0f86191469 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Microsoft Office Sandbox Evasion", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos\n", + "references": [ + "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", + "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", + "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1497", + "name": "Virtualization/Sandbox Evasion", + "reference": "https://attack.mitre.org/techniques/T1497/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json new file mode 100644 index 000000000000..2cdcf59434c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Microsoft Office Sandbox Evasion", + "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", + "references": [ + "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", + "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", + "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1497", + "name": "Virtualization/Sandbox Evasion", + "reference": "https://attack.mitre.org/techniques/T1497/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json deleted file mode 100644 index df9f481e685c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Disabling User Account Control via Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", - "references": [ - "https://www.greyhathacker.net/?p=796", - "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", - "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json new file mode 100644 index 000000000000..fdba714fb856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling User Account Control via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json new file mode 100644 index 000000000000..a8ba76e7aaf1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling User Account Control via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json deleted file mode 100644 index 4fe843dd60e1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Clearing Windows Event Logs", - "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.001", - "name": "Clear Windows Event Logs", - "reference": "https://attack.mitre.org/techniques/T1070/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json new file mode 100644 index 000000000000..f2ee562cd2fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Event Logs", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json new file mode 100644 index 000000000000..2bee70b7522e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Event Logs", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json deleted file mode 100644 index 581a6cf87bd8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote Windows Service Installed", - "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ServiceFileName", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.id", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 6 - }, - "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json new file mode 100644 index 000000000000..bd3d13deb0c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Windows Service Installed", + "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where host.os.type == \"windows\" and event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json new file mode 100644 index 000000000000..fc98682d6118 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Windows Service Installed", + "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json new file mode 100644 index 000000000000..a710a8c9a5a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Windows Service Installed", + "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.id", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json deleted file mode 100644 index e6b5f3b38dbc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Shell Execution via Apple Scripting", - "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", - "references": [ - "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", - "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json new file mode 100644 index 000000000000..0bce8001a2c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Execution via Apple Scripting", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", + "references": [ + "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json new file mode 100644 index 000000000000..e0d2858dbd26 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Execution via Apple Scripting", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", + "references": [ + "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json deleted file mode 100644 index 71d00d7ac4b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Application", - "note": "", - "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json new file mode 100644 index 000000000000..4855af2abf3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json new file mode 100644 index 000000000000..6a143b787907 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json deleted file mode 100644 index 8c31ea2946b0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", - "false_positives": [ - "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." - ], - "index": [ - "apm-*-transaction*", - "traces-apm*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Web Application Suspicious Activity: sqlmap User Agent", - "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n", - "references": [ - "http://sqlmap.org/" - ], - "related_integrations": [ - { - "package": "apm", - "version": "^8.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "user_agent.original", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "severity": "medium", - "tags": [ - "Data Source: APM" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json new file mode 100644 index 000000000000..929395f7e30f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", + "false_positives": [ + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: sqlmap User Agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n", + "references": [ + "http://sqlmap.org/" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_102.json b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_102.json new file mode 100644 index 000000000000..8b3170120b9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_102.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", + "false_positives": [ + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + ], + "index": [ + "apm-*-transaction*", + "traces-apm*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Web Application Suspicious Activity: sqlmap User Agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n", + "references": [ + "http://sqlmap.org/" + ], + "related_integrations": [ + { + "package": "apm", + "version": "^8.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "medium", + "tags": [ + "Data Source: APM" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json deleted file mode 100644 index f3253cdd4354..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_system_information_discovery" - ], - "name": "Unusual Linux System Information Discovery Activity", - "risk_score": 21, - "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json new file mode 100644 index 000000000000..40ae06797307 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_information_discovery" + ], + "name": "Unusual Linux System Information Discovery Activity", + "risk_score": 21, + "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json new file mode 100644 index 000000000000..42b3ce6f4a38 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_system_information_discovery" + ], + "name": "Unusual Linux System Information Discovery Activity", + "risk_score": 21, + "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json deleted file mode 100644 index 00bdc2b24da0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", - "false_positives": [ - "Business travelers who roam to new locations may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_rare_source_ip_for_a_user", - "name": "Unusual Source IP for a User to Logon from", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json new file mode 100644 index 000000000000..123485207780 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", + "false_positives": [ + "Business travelers who roam to new locations may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_source_ip_for_a_user", + "name": "Unusual Source IP for a User to Logon from", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json new file mode 100644 index 000000000000..1201e39827a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", + "false_positives": [ + "Business travelers who roam to new locations may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_rare_source_ip_for_a_user", + "name": "Unusual Source IP for a User to Logon from", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json deleted file mode 100644 index 83416df4c691..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privilege Escalation via Windir Environment Variable", - "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", - "references": [ - "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.007", - "name": "Path Interception by PATH Environment Variable", - "reference": "https://attack.mitre.org/techniques/T1574/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json new file mode 100644 index 000000000000..709c4e01ece0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Windir Environment Variable", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", + "references": [ + "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json new file mode 100644 index 000000000000..53779bc74c61 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Windir Environment Variable", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", + "references": [ + "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json deleted file mode 100644 index c0753f4b5529..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Policy Rule", - "note": "", - "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json new file mode 100644 index 000000000000..ddf065579411 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json new file mode 100644 index 000000000000..8458e371cbc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json deleted file mode 100644 index 896ca18446be..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Service Command Lateral Movement", - "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json new file mode 100644 index 000000000000..7cadba3072b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Command Lateral Movement", + "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json new file mode 100644 index 000000000000..606d4b59fb51 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Command Lateral Movement", + "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json deleted file mode 100644 index a0cc5b96e115..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", - "false_positives": [ - "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Log Stream Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", - "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Impact", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1485", - "name": "Data Destruction", - "reference": "https://attack.mitre.org/techniques/T1485/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json new file mode 100644 index 000000000000..2616f6da75fe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", + "false_positives": [ + "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Stream Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Impact", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json new file mode 100644 index 000000000000..547cb75516e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", + "false_positives": [ + "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Log Stream Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Impact", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json deleted file mode 100644 index c2dd150e75c2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", - "false_positives": [ - "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Pub/Sub Subscription Creation", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", - "references": [ - "https://cloud.google.com/pubsub/docs/overview" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json new file mode 100644 index 000000000000..8b89dc51c14a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json new file mode 100644 index 000000000000..db137b231a63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", + "false_positives": [ + "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Pub/Sub Subscription Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", + "references": [ + "https://cloud.google.com/pubsub/docs/overview" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json deleted file mode 100644 index f1fef691f81c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Information Discovery via Windows Command Shell", - "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - }, - { - "id": "T1083", - "name": "File and Directory Discovery", - "reference": "https://attack.mitre.org/techniques/T1083/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.003", - "name": "Windows Command Shell", - "reference": "https://attack.mitre.org/techniques/T1059/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json new file mode 100644 index 000000000000..d2af8e9da4df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Information Discovery via Windows Command Shell", + "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json new file mode 100644 index 000000000000..f09b801ba0db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Information Discovery via Windows Command Shell", + "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json new file mode 100644 index 000000000000..3be6e13b8b83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Information Discovery via Windows Command Shell", + "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json deleted file mode 100644 index 18034d715efd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", - "false_positives": [ - "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json new file mode 100644 index 000000000000..3f637a203365 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json new file mode 100644 index 000000000000..0def32d37353 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json deleted file mode 100644 index e83c39e08011..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Modification of WDigest Security Provider", - "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", - "references": [ - "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", - "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", - "https://frsecure.com/compromised-credentials-response-playbook", - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json new file mode 100644 index 000000000000..b76c492354e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of WDigest Security Provider", + "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", + "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json new file mode 100644 index 000000000000..732f7a2a28c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of WDigest Security Provider", + "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", + "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json deleted file mode 100644 index 6027a5bafcc0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", - "false_positives": [ - "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Command Execution via SolarWinds Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1195", - "name": "Supply Chain Compromise", - "reference": "https://attack.mitre.org/techniques/T1195/", - "subtechnique": [ - { - "id": "T1195.002", - "name": "Compromise Software Supply Chain", - "reference": "https://attack.mitre.org/techniques/T1195/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json new file mode 100644 index 000000000000..a028268a055b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", + "false_positives": [ + "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Execution via SolarWinds Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json new file mode 100644 index 000000000000..71e4c99670a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", + "false_positives": [ + "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Execution via SolarWinds Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json deleted file mode 100644 index fa4118a78959..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", - "false_positives": [ - "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json new file mode 100644 index 000000000000..1263398d7e1f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json new file mode 100644 index 000000000000..01e372c35eb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json deleted file mode 100644 index c06228972222..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SystemKey Access via Command Line", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", - "references": [ - "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.001", - "name": "Keychain", - "reference": "https://attack.mitre.org/techniques/T1555/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "d75991f2-b989-419d-b797-ac1e54ec2d61", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json new file mode 100644 index 000000000000..c782d6729f14 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SystemKey Access via Command Line", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", + "references": [ + "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json new file mode 100644 index 000000000000..5fb62d017229 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SystemKey Access via Command Line", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", + "references": [ + "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json deleted file mode 100644 index 3d627cafb1ae..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Interactive Terminal Spawned via Python", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count \u003e= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.006", - "name": "Python", - "reference": "https://attack.mitre.org/techniques/T1059/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "d76b02ef-fc95-4001-9297-01cb7412232f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json new file mode 100644 index 000000000000..b15618c7e346 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:python* and\n process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json new file mode 100644 index 000000000000..1a4fe70ae64a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"python*\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and \n process.executable : \"/bin/*sh\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "type": "eql", + "version": 104 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json new file mode 100644 index 000000000000..ad5141de31d0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"python*\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and \n process.executable : \"/bin/*sh\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "type": "eql", + "version": 105 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json new file mode 100644 index 000000000000..357c2c3220e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count \u003e= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json deleted file mode 100644 index b18fefcb6b52..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", - "false_positives": [ - "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Blob Permissions Modification", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1222", - "name": "File and Directory Permissions Modification", - "reference": "https://attack.mitre.org/techniques/T1222/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json new file mode 100644 index 000000000000..54f1251c35ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Permissions Modification", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json new file mode 100644 index 000000000000..00804cbeac83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", + "false_positives": [ + "Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Blob Permissions Modification", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json deleted file mode 100644 index 366b6152e534..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", - "false_positives": [ - "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_high_count_logon_events", - "name": "Spike in Logon Events", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json new file mode 100644 index 000000000000..d9e7ea942bca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events", + "name": "Spike in Logon Events", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json new file mode 100644 index 000000000000..14f1471aa041 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events", + "name": "Spike in Logon Events", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json deleted file mode 100644 index 064d3a58bfce..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", - "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SMTP on Port 26/TCP", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", - "references": [ - "https://unit42.paloaltonetworks.com/unit42-badpatch/", - "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1048", - "name": "Exfiltration Over Alternative Protocol", - "reference": "https://attack.mitre.org/techniques/T1048/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 101 - }, - "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json new file mode 100644 index 000000000000..35effd4c4e36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP on Port 26/TCP", + "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 100 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json new file mode 100644 index 000000000000..6046e4bfe8b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP on Port 26/TCP", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json deleted file mode 100644 index 96e209a73879..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Untrusted Driver Loaded", - "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", - "references": [ - "https://github.com/hfiref0x/TDL", - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dll.code_signature.status", - "type": "keyword" - }, - { - "ecs": true, - "name": "dll.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pid", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.006", - "name": "Code Signing Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1553/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json new file mode 100644 index 000000000000..141094225371 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Untrusted Driver Loaded", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", + "references": [ + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json new file mode 100644 index 000000000000..ac443d41b487 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Untrusted Driver Loaded", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", + "references": [ + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json new file mode 100644 index 000000000000..9ad03d5734db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Untrusted Driver Loaded", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", + "references": [ + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json deleted file mode 100644 index 183c7d120ad6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", - "false_positives": [ - "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Deactivation of MFA Device", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json new file mode 100644 index 000000000000..f77a9d2c665b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", + "false_positives": [ + "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Deactivation of MFA Device", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json new file mode 100644 index 000000000000..ea06a80cdc02 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", + "false_positives": [ + "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Deactivation of MFA Device", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json deleted file mode 100644 index 2f4b9f300173..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Volume Shadow Copy Deletion via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", - "references": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", - "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json new file mode 100644 index 000000000000..eb6ef776f3fe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", + "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json new file mode 100644 index 000000000000..44ac208a90ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", + "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json deleted file mode 100644 index 8e3531deb052..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Code Signing Policy Modification Through Registry", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.006", - "name": "Code Signing Policy Modification", - "reference": "https://attack.mitre.org/techniques/T1553/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json new file mode 100644 index 000000000000..74e35ab2f095 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json new file mode 100644 index 000000000000..ff564ab3bbfc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json new file mode 100644 index 000000000000..bd4da86ead77 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json deleted file mode 100644 index c5c2d2f71fc4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Service was Installed in the System", - "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.ImagePath", - "type": "unknown" - }, - { - "ecs": false, - "name": "winlog.event_data.ServiceFileName", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 7 - }, - "id": "da87eee1-129c-4661-a7aa-57d0b9645fad", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json new file mode 100644 index 000000000000..36f33b2c05f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious service was installed in the system", + "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where host.os.type == \"windows\" and\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ImagePath", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json new file mode 100644 index 000000000000..6518b0f3d144 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious service was installed in the system", + "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ImagePath", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json new file mode 100644 index 000000000000..04240f1ab14a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Service was Installed in the System", + "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ImagePath", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json new file mode 100644 index 000000000000..096425967fd5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Service was Installed in the System", + "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ImagePath", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json deleted file mode 100644 index c4c207ee7f97..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "winlogbeat-*", - "logs-windows.*", - "logs-system.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Pass-the-Hash (PtH) Attempt", - "new_terms_fields": [ - "user.id" - ], - "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", - "references": [ - "https://attack.mitre.org/techniques/T1550/002/" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.LogonProcessName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.002", - "name": "Pass the Hash", - "reference": "https://attack.mitre.org/techniques/T1550/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json new file mode 100644 index 000000000000..e7bbd7966be4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Pass-the-Hash (PtH) Attempt", + "new_terms_fields": [ + "user.id" + ], + "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", + "references": [ + "https://attack.mitre.org/techniques/T1550/002/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json new file mode 100644 index 000000000000..cfac8d8201df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Pass-the-Hash (PtH) Attempt", + "new_terms_fields": [ + "user.id" + ], + "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", + "references": [ + "https://attack.mitre.org/techniques/T1550/002/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json deleted file mode 100644 index d797b3e3e2ba..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Multi-Factor Authentication Disabled for an Azure User", - "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json new file mode 100644 index 000000000000..dd190891bc35 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Multi-Factor Authentication Disabled for an Azure User", + "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json new file mode 100644 index 000000000000..c36374644484 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Multi-Factor Authentication Disabled for an Azure User", + "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json deleted file mode 100644 index 4f2846253d5b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution via Windows Subsystem for Linux", - "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", - "references": [ - "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json new file mode 100644 index 000000000000..f55a5adca23c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json new file mode 100644 index 000000000000..758879b20d46 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json deleted file mode 100644 index f048b25eb996..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Dumping - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "type": "query", - "version": 101 - }, - "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json new file mode 100644 index 000000000000..e57e347699af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 100 + }, + "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json new file mode 100644 index 000000000000..61d08cc80f94 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 101 + }, + "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json deleted file mode 100644 index 28be8c4927c5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Content Extracted or Decompressed via Funzip", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", - "references": [ - "https://attack.mitre.org/software/S0482/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json new file mode 100644 index 000000000000..6eb408e8e665 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Content Extracted or Decompressed via Funzip", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", + "references": [ + "https://attack.mitre.org/software/S0482/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json deleted file mode 100644 index 01b9dc906f5e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Hidden Process via Mount Hidepid", - "query": "process where process.name==\"mount\" and event.action ==\"exec\" and\n process.args: ( \"/proc\") and process.args: (\"-o\") and process.args:(\"*hidepid=2*\") and\n host.os.type == \"linux\"\n", - "references": [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json new file mode 100644 index 000000000000..a773ea353fcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where process.name==\"mount\" and event.action ==\"exec\" and\n process.args: ( \"/proc\") and process.args: (\"-o\") and process.args:(\"*hidepid=2*\") and\n host.os.type == \"linux\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json new file mode 100644 index 000000000000..43206e1e49c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where process.name==\"mount\" and event.action ==\"exec\" and\n process.args: ( \"/proc\") and process.args: (\"-o\") and process.args:(\"*hidepid=2*\") and\n host.os.type == \"linux\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json deleted file mode 100644 index f8ea1167fef6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Volume Shadow Copy Deletion via WMIC", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1490", - "name": "Inhibit System Recovery", - "reference": "https://attack.mitre.org/techniques/T1490/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json new file mode 100644 index 000000000000..b89bf9ef216e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via WMIC", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Impact", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json new file mode 100644 index 000000000000..e139735469c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via WMIC", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json deleted file mode 100644 index 8443b1a84e58..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", - "false_positives": [ - "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." - ], - "from": "now-2h", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "rare_method_for_a_country", - "name": "Unusual Country For an AWS Command", - "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [], - "risk_score": 21, - "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide" - ], - "type": "machine_learning", - "version": 105 - }, - "id": "dca28dee-c999-400f-b640-50a081cc0fd1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json new file mode 100644 index 000000000000..1839971f993c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_country", + "name": "Unusual Country For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "ML", + "Machine Learning", + "Investigation Guide" + ], + "type": "machine_learning", + "version": 104 + }, + "id": "dca28dee-c999-400f-b640-50a081cc0fd1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json new file mode 100644 index 000000000000..5c17c15ca807 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "anomaly_threshold": 50, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", + "false_positives": [ + "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." + ], + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "rare_method_for_a_country", + "name": "Unusual Country For an AWS Command", + "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "related_integrations": [], + "risk_score": 21, + "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide" + ], + "type": "machine_learning", + "version": 105 + }, + "id": "dca28dee-c999-400f-b640-50a081cc0fd1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json deleted file mode 100644 index 4054a07d2bf6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Install Kali Linux via WSL", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppDara\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", - "references": [ - "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json new file mode 100644 index 000000000000..32bc5b5ddb1f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Install Kali Linux via WSL", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppDara\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json new file mode 100644 index 000000000000..f2cda7d6e330 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Install Kali Linux via WSL", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppDara\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json deleted file mode 100644 index 3d5e432b2328..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "NullSessionPipe Registry Modification", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", - "references": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json new file mode 100644 index 000000000000..6875e5de65cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NullSessionPipe Registry Modification", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "references": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json new file mode 100644 index 000000000000..599fecb25ba2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NullSessionPipe Registry Modification", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "references": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json deleted file mode 100644 index 117e678249b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Child Process from a System Virtual Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.pid", - "type": "long" - } - ], - "risk_score": 73, - "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json new file mode 100644 index 000000000000..117584de0ddc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process from a System Virtual Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json new file mode 100644 index 000000000000..02db8026916a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process from a System Virtual Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json deleted file mode 100644 index 1451f6955ba6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", - "false_positives": [ - "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Base16 or Base32 Encoding/Decoding Activity", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "debff20a-46bc-4a4d-bae5-5cdd14222795", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json new file mode 100644 index 000000000000..771082f613f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json new file mode 100644 index 000000000000..ce7bbdf13c78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json deleted file mode 100644 index dcd5cb275bed..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", - "from": "now-9m", - "history_window_start": "now-30d", - "index": [ - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Driver Loaded", - "new_terms_fields": [ - "dll.pe.original_file_name", - "dll.code_signature.subject_name" - ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", - "references": [ - "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 4 - }, - "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json new file mode 100644 index 000000000000..c3e7376b74ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", + "from": "now-9m", + "history_window_start": "now-30d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Driver Loaded", + "new_terms_fields": [ + "dll.pe.original_file_name", + "dll.code_signature.subject_name" + ], + "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", + "references": [ + "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json new file mode 100644 index 000000000000..56f1d5683bc3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", + "from": "now-9m", + "history_window_start": "now-30d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Driver Loaded", + "new_terms_fields": [ + "dll.pe.original_file_name", + "dll.code_signature.subject_name" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", + "references": [ + "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json new file mode 100644 index 000000000000..1a927a91c7f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", + "from": "now-9m", + "history_window_start": "now-30d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Driver Loaded", + "new_terms_fields": [ + "dll.pe.original_file_name", + "dll.code_signature.subject_name" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", + "references": [ + "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json deleted file mode 100644 index c9f719a5af80..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", - "false_positives": [ - "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_windows_rare_metadata_user" - ], - "name": "Unusual Windows User Calling the Metadata Service", - "risk_score": 21, - "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.005", - "name": "Cloud Instance Metadata API", - "reference": "https://attack.mitre.org/techniques/T1552/005/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 102 - }, - "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json new file mode 100644 index 000000000000..28b49af299cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_user" + ], + "name": "Unusual Windows User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json new file mode 100644 index 000000000000..09f16ce1c876 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "false_positives": [ + "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_windows_rare_metadata_user" + ], + "name": "Unusual Windows User Calling the Metadata Service", + "risk_score": 21, + "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json deleted file mode 100644 index 85ee0f93b77c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Account Created", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "df26fd74-1baa-4479-b42e-48da84642330", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json new file mode 100644 index 000000000000..26fe78ca8834 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Account Created", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "df26fd74-1baa-4479-b42e-48da84642330_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json new file mode 100644 index 000000000000..97949cb1ee48 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Account Created", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "df26fd74-1baa-4479-b42e-48da84642330_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json deleted file mode 100644 index 96c3bef72cd5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Dynamic Linker Copy", - "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", - "references": [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "df6f62d9-caab-4b88-affa-044f4395a1e0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json new file mode 100644 index 000000000000..d6a7dd62dfc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dynamic Linker Copy", + "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Orbit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json new file mode 100644 index 000000000000..b3b9e3090bff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dynamic Linker Copy", + "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json deleted file mode 100644 index 137bfaeb3afb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", - "false_positives": [ - "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Pod Created With HostPID", - "note": "", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", - "references": [ - "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", - "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", - "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.containers.image", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestObject.spec.hostPID", - "type": "unknown" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1611", - "name": "Escape to Host", - "reference": "https://attack.mitre.org/techniques/T1611/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1610", - "name": "Deploy Container", - "reference": "https://attack.mitre.org/techniques/T1610/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 202 - }, - "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json new file mode 100644 index 000000000000..544dc8f1379c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostPID", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostPID", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 201 + }, + "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_201", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json new file mode 100644 index 000000000000..08d9da0e2be6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostPID", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostPID", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 202 + }, + "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_202", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json deleted file mode 100644 index 15f9ace5acab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", - "false_positives": [ - "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Firewall Policy Deletion", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json new file mode 100644 index 000000000000..71053fb9e0ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", + "false_positives": [ + "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Firewall Policy Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Network Security" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json new file mode 100644 index 000000000000..416b68325ef5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", + "false_positives": [ + "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Firewall Policy Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json deleted file mode 100644 index 30d35427cff6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "KRBTGT Delegation Backdoor", - "note": "", - "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", - "references": [ - "https://skyblue.team/posts/delegate-krbtgt", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AllowedToDelegateTo", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json new file mode 100644 index 000000000000..68732b650e63 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "KRBTGT Delegation Backdoor", + "note": "", + "query": "event.action:modified-user-account and host.os.type:windows and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", + "references": [ + "https://skyblue.team/posts/delegate-krbtgt", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AllowedToDelegateTo", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json new file mode 100644 index 000000000000..4ec961c185ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "KRBTGT Delegation Backdoor", + "note": "", + "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", + "references": [ + "https://skyblue.team/posts/delegate-krbtgt", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AllowedToDelegateTo", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json new file mode 100644 index 000000000000..220ff3acec45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "KRBTGT Delegation Backdoor", + "note": "", + "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", + "references": [ + "https://skyblue.team/posts/delegate-krbtgt", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AllowedToDelegateTo", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json deleted file mode 100644 index 091102ca31ec..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "System Service Discovery through built-in Windows Utilities", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\")\n ) and not user.id : \"S-1-5-18\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1007", - "name": "System Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1007/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json new file mode 100644 index 000000000000..50bcb45a0b77 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Service Discovery through built-in Windows Utilities", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\")\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1007", + "name": "System Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1007/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json new file mode 100644 index 000000000000..1644d2d81d9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Service Discovery through built-in Windows Utilities", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\")\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1007", + "name": "System Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1007/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json deleted file mode 100644 index 05134ed8a9a3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "@BenB196", - "Austin Songer" - ], - "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", - "from": "now-180m", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempts to Brute Force an Okta User Account", - "note": "", - "query": "event.dataset:okta.system and event.action:user.account.lock\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "okta.actor.alternate_id" - ], - "value": 3 - }, - "type": "threshold", - "version": 103 - }, - "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json new file mode 100644 index 000000000000..9867b2901371 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", + "from": "now-180m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.lock\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 3 + }, + "type": "threshold", + "version": 102 + }, + "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json new file mode 100644 index 000000000000..0b257b2d6dff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", + "from": "now-180m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.lock\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 3 + }, + "type": "threshold", + "version": 103 + }, + "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json deleted file mode 100644 index 6c6d9f41a451..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", - "false_positives": [ - "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Event Hub Deletion", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", - "https://azure.microsoft.com/en-in/services/event-hubs/", - "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Log Auditing", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "e0f36de1-0342-453d-95a9-a068b257b053", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json new file mode 100644 index 000000000000..8db8e7d5abfb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", + "false_positives": [ + "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", + "https://azure.microsoft.com/en-in/services/event-hubs/", + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Log Auditing" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "e0f36de1-0342-453d-95a9-a068b257b053_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json new file mode 100644 index 000000000000..8aea88f96534 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", + "false_positives": [ + "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Event Hub Deletion", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", + "https://azure.microsoft.com/en-in/services/event-hubs/", + "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Log Auditing", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e0f36de1-0342-453d-95a9-a068b257b053_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json deleted file mode 100644 index 66478c1afb8b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when an AWS Route Table has been created.", - "false_positives": [ - "Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Route Table Created", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", - "references": [ - "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e12c0318-99b1-44f2-830c-3a38a43207ca", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json new file mode 100644 index 000000000000..0b2f1d62af99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been created.", + "false_positives": [ + "Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", + "references": [ + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json new file mode 100644 index 000000000000..0645c7e7254c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been created.", + "false_positives": [ + "Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", + "references": [ + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json deleted file mode 100644 index e696ff32d976..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", - "false_positives": [ - "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Cluster Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json new file mode 100644 index 000000000000..037680e05a98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Cluster Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json new file mode 100644 index 000000000000..4677dc2a8d98 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", + "false_positives": [ + "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Cluster Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json deleted file mode 100644 index 0a2c52d7e200..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", - "false_positives": [ - "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to External Network via Telnet", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "e19e64ee-130e-4c07-961f-8a339f0b8362", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json new file mode 100644 index 000000000000..65e36d412af9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to External Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json new file mode 100644 index 000000000000..d9affb8c0384 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to External Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json deleted file mode 100644 index 61f2184ea376..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Mining Process Creation Event", - "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "e2258f48-ba75-4248-951b-7c885edf18c2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json new file mode 100644 index 000000000000..f8ef7cab1e45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Mining Process Creation Event", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e2258f48-ba75-4248-951b-7c885edf18c2_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json new file mode 100644 index 000000000000..8b1b95bfd051 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Mining Process Creation Event", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e2258f48-ba75-4248-951b-7c885edf18c2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json deleted file mode 100644 index 48cee1320bab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", - "false_positives": [ - "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", - "name": "Spike in Successful Logon Events from a Source IP", - "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.002", - "name": "Domain Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/002/" - }, - { - "id": "T1078.003", - "name": "Local Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json new file mode 100644 index 000000000000..ef71985128c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", + "name": "Spike in Successful Logon Events from a Source IP", + "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", + "severity": "low", + "tags": [ + "Elastic", + "Authentication", + "Threat Detection", + "ML", + "Machine Learning", + "Credential Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json new file mode 100644 index 000000000000..dcaeebdb01ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", + "false_positives": [ + "Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", + "name": "Spike in Successful Logon Events from a Source IP", + "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + }, + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json deleted file mode 100644 index 889ac24a5235..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1055", - "name": "Process Injection", - "reference": "https://attack.mitre.org/techniques/T1055/", - "subtechnique": [ - { - "id": "T1055.001", - "name": "Dynamic-link Library Injection", - "reference": "https://attack.mitre.org/techniques/T1055/001/" - }, - { - "id": "T1055.002", - "name": "Portable Executable Injection", - "reference": "https://attack.mitre.org/techniques/T1055/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json new file mode 100644 index 000000000000..06e8e9765ff1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious .NET Reflection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json new file mode 100644 index 000000000000..d350701aaed7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious .NET Reflection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json new file mode 100644 index 000000000000..3d5f5340abbb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious .NET Reflection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json deleted file mode 100644 index 00145cb8fff9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a successful login to the AWS Management Console by the Root user.", - "false_positives": [ - "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Management Console Root Login", - "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json new file mode 100644 index 000000000000..e6461b8356fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a successful login to the AWS Management Console by the Root user.", + "false_positives": [ + "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Root Login", + "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json new file mode 100644 index 000000000000..3a665981ba82 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a successful login to the AWS Management Console by the Root user.", + "false_positives": [ + "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Management Console Root Login", + "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json deleted file mode 100644 index e31555d783f6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Subsystem for Linux Enabled via Dism Utility", - "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", - "references": [ - "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json new file mode 100644 index 000000000000..1a9f9ae93624 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Enabled via Dism Utility", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json new file mode 100644 index 000000000000..8c77da6864da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Enabled via Dism Utility", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json deleted file mode 100644 index daad6410236d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Process Execution via Renamed PsExec Executable", - "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1569", - "name": "System Services", - "reference": "https://attack.mitre.org/techniques/T1569/", - "subtechnique": [ - { - "id": "T1569.002", - "name": "Service Execution", - "reference": "https://attack.mitre.org/techniques/T1569/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json new file mode 100644 index 000000000000..0dfefa078a00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Execution via Renamed PsExec Executable", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json new file mode 100644 index 000000000000..9eb75a990e93 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Execution via Renamed PsExec Executable", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json deleted file mode 100644 index 4621f8e9df6e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", - "false_positives": [ - "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP IAM Role Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", - "references": [ - "https://cloud.google.com/iam/docs/understanding-roles" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1531", - "name": "Account Access Removal", - "reference": "https://attack.mitre.org/techniques/T1531/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json new file mode 100644 index 000000000000..91873e82a185 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", + "false_positives": [ + "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Role Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/understanding-roles" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json new file mode 100644 index 000000000000..5a6a538c4a62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", + "false_positives": [ + "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP IAM Role Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", + "references": [ + "https://cloud.google.com/iam/docs/understanding-roles" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json deleted file mode 100644 index 34682c06f241..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", - "false_positives": [ - "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.001", - "name": "Compiled HTML File", - "reference": "https://attack.mitre.org/techniques/T1218/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json new file mode 100644 index 000000000000..fc379beebdc3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json new file mode 100644 index 000000000000..3977022a445c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json new file mode 100644 index 000000000000..1832175f1921 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json deleted file mode 100644 index b28669cff0ff..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", - "false_positives": [ - "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Route53 private hosted zone associated with a VPC", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e3c27562-709a-42bd-82f2-3ed926cced19", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json new file mode 100644 index 000000000000..2ae4979ea862 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", + "false_positives": [ + "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route53 private hosted zone associated with a VPC", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e3c27562-709a-42bd-82f2-3ed926cced19_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json new file mode 100644 index 000000000000..8deec88761fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", + "false_positives": [ + "A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route53 private hosted zone associated with a VPC", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e3c27562-709a-42bd-82f2-3ed926cced19_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json deleted file mode 100644 index ed3c7c009f2e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Ransomware - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", - "required_fields": [ - { - "ecs": false, - "name": "endgame.event_subtype_full", - "type": "unknown" - }, - { - "ecs": false, - "name": "endgame.metadata.type", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", - "severity": "high", - "tags": [ - "Data Source: Elastic Endgame" - ], - "type": "query", - "version": 101 - }, - "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json new file mode 100644 index 000000000000..688c1a1156d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json @@ -0,0 +1,56 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Ransomware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame" + ], + "type": "query", + "version": 100 + }, + "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac_100", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json new file mode 100644 index 000000000000..0d2456a1cebb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Ransomware - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Data Source: Elastic Endgame" + ], + "type": "query", + "version": 101 + }, + "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json deleted file mode 100644 index eeff7efd2ddc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Connection to Commonly Abused Free SSL Certificate Providers", - "note": "", - "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "dns.question.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1573", - "name": "Encrypted Channel", - "reference": "https://attack.mitre.org/techniques/T1573/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json new file mode 100644 index 000000000000..5fd5010fe0a3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Free SSL Certificate Providers", + "note": "", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json new file mode 100644 index 000000000000..d0e83d21ed72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Free SSL Certificate Providers", + "note": "", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json deleted file mode 100644 index c9f00321da15..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "note": "", - "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", - "references": [ - "https://userbase.kde.org/System_Settings/Autostart", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json new file mode 100644 index 000000000000..3a5ebf767587 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", + "references": [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json new file mode 100644 index 000000000000..5eca935e4616 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", + "references": [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json deleted file mode 100644 index 31a1f49519a1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Network Zone", - "note": "", - "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.007", - "name": "Disable or Modify Cloud Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/007/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json new file mode 100644 index 000000000000..694c9d9c8286 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json new file mode 100644 index 000000000000..a89d31eb1a65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Network Zone", + "note": "", + "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json deleted file mode 100644 index 91b3ffce320f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Service Creation via Local Kerberos Authentication", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", - "references": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", - "https://github.com/cube0x0/KrbRelay", - "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.AuthenticationPackageName", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.SubjectLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.TargetLogonId", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 73, - "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "type": "eql", - "version": 105 - }, - "id": "e4e31051-ee01-4307-a6ee-b21b186958f4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json new file mode 100644 index 000000000000..6bc26bff41d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Creation via Local Kerberos Authentication", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where host.os.type == \"windows\" and\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", + "https://github.com/cube0x0/KrbRelay", + "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AuthenticationPackageName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json new file mode 100644 index 000000000000..6bbe8d49219f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Creation via Local Kerberos Authentication", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", + "https://github.com/cube0x0/KrbRelay", + "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AuthenticationPackageName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Credential Access", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json new file mode 100644 index 000000000000..c20198570126 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Creation via Local Kerberos Authentication", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", + "https://github.com/cube0x0/KrbRelay", + "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AuthenticationPackageName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json deleted file mode 100644 index ef87eb8dba63..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kerberos Pre-authentication Disabled for User", - "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", - "references": [ - "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "message", - "type": "match_only_text" - }, - { - "ecs": false, - "name": "winlog.api", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.004", - "name": "AS-REP Roasting", - "reference": "https://attack.mitre.org/techniques/T1558/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json new file mode 100644 index 000000000000..3e5b97252a2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Pre-authentication Disabled for User", + "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.code:4738 and host.os.type:windows and message:\"'Don't Require Preauth' - Enabled\"\n", + "references": [ + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], + "risk_score": 47, + "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.004", + "name": "AS-REP Roasting", + "reference": "https://attack.mitre.org/techniques/T1558/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json new file mode 100644 index 000000000000..79faeb90e1d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Pre-authentication Disabled for User", + "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", + "references": [ + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.004", + "name": "AS-REP Roasting", + "reference": "https://attack.mitre.org/techniques/T1558/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json new file mode 100644 index 000000000000..24995442e7aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Pre-authentication Disabled for User", + "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", + "references": [ + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.004", + "name": "AS-REP Roasting", + "reference": "https://attack.mitre.org/techniques/T1558/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json deleted file mode 100644 index 01814e72a7f4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "MFA Disabled for Google Workspace Organization", - "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.admin.new_value", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 205 - }, - "id": "e555105c-ba6d-481f-82bb-9b633e7b4827", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json new file mode 100644 index 000000000000..b05b82bd59ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "MFA Disabled for Google Workspace Organization", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json new file mode 100644 index 000000000000..ed4279308da2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "MFA Disabled for Google Workspace Organization", + "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 204 + }, + "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json new file mode 100644 index 000000000000..1b1626b9fa8c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "MFA Disabled for Google Workspace Organization", + "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 205 + }, + "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json deleted file mode 100644 index 9e5e4547fbd8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", - "false_positives": [ - "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Bash Shell Profile Modification", - "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", - "references": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.004", - "name": "Unix Shell Configuration Modification", - "reference": "https://attack.mitre.org/techniques/T1546/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json new file mode 100644 index 000000000000..245857aa0b29 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", + "false_positives": [ + "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Bash Shell Profile Modification", + "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", + "references": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Linux", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": "Unix Shell Configuration Modification", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json new file mode 100644 index 000000000000..40e91e370f91 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", + "false_positives": [ + "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Bash Shell Profile Modification", + "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", + "references": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": "Unix Shell Configuration Modification", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json deleted file mode 100644 index 054021eab4af..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Authorization Plugin Modification", - "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", - "references": [ - "https://developer.apple.com/documentation/security/authorization_plug-ins", - "https://www.xorrior.com/persistent-credential-theft/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json new file mode 100644 index 000000000000..2a5cd70449e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Authorization Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", + "references": [ + "https://developer.apple.com/documentation/security/authorization_plug-ins", + "https://www.xorrior.com/persistent-credential-theft/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json new file mode 100644 index 000000000000..e75eee67df7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Authorization Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", + "references": [ + "https://developer.apple.com/documentation/security/authorization_plug-ins", + "https://www.xorrior.com/persistent-credential-theft/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json deleted file mode 100644 index 6ee629139046..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Possible Okta DoS Attack", - "note": "", - "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1498", - "name": "Network Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1498/" - }, - { - "id": "T1499", - "name": "Endpoint Denial of Service", - "reference": "https://attack.mitre.org/techniques/T1499/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json new file mode 100644 index 000000000000..c32c461e977b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Okta DoS Attack", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json new file mode 100644 index 000000000000..18ca41ad9897 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Okta DoS Attack", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json deleted file mode 100644 index 81daef563568..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Screensaver Plist File Modified by Unexpected Process", - "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", - "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", - "references": [ - "https://posts.specterops.io/saving-your-access-d562bf5bf90b", - "https://github.com/D00MFist/PersistentJXA" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.exists", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json new file mode 100644 index 000000000000..65169f48f313 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Screensaver Plist File Modified by Unexpected Process", + "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json new file mode 100644 index 000000000000..04ebd69fdca4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Screensaver Plist File Modified by Unexpected Process", + "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json deleted file mode 100644 index 4ba6cc5f3d65..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Default Cobalt Strike Team Server Certificate", - "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", - "query": "event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", - "references": [ - "https://attack.mitre.org/software/S0154/", - "https://www.cobaltstrike.com/help-setup-collaboration", - "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", - "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", - "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", - "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "tls.server.hash.md5", - "type": "keyword" - }, - { - "ecs": true, - "name": "tls.server.hash.sha1", - "type": "keyword" - }, - { - "ecs": true, - "name": "tls.server.hash.sha256", - "type": "keyword" - } - ], - "risk_score": 99, - "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", - "severity": "critical", - "tags": [ - "Tactic: Command and Control", - "Threat: Cobalt Strike", - "Use Case: Threat Detection", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/", - "subtechnique": [ - { - "id": "T1071.001", - "name": "Web Protocols", - "reference": "https://attack.mitre.org/techniques/T1071/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e7075e8d-a966-458e-a183-85cd331af255", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json new file mode 100644 index 000000000000..e91b35369460 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Default Cobalt Strike Team Server Certificate", + "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", + "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", + "references": [ + "https://attack.mitre.org/software/S0154/", + "https://www.cobaltstrike.com/help-setup-collaboration", + "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.md5", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha1", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha256", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", + "severity": "critical", + "tags": [ + "Command and Control", + "Post-Execution", + "Threat Detection", + "Elastic", + "Network", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e7075e8d-a966-458e-a183-85cd331af255_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json new file mode 100644 index 000000000000..7e008eaf0037 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Default Cobalt Strike Team Server Certificate", + "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", + "query": "event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", + "references": [ + "https://attack.mitre.org/software/S0154/", + "https://www.cobaltstrike.com/help-setup-collaboration", + "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.md5", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha1", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha256", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", + "severity": "critical", + "tags": [ + "Tactic: Command and Control", + "Threat: Cobalt Strike", + "Use Case: Threat Detection", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e7075e8d-a966-458e-a183-85cd331af255_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json deleted file mode 100644 index aa9ae8e6d315..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Execution of Persistent Suspicious Program", - "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json new file mode 100644 index 000000000000..de2043dbaf0d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of Persistent Suspicious Program", + "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json new file mode 100644 index 000000000000..000a6651be21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of Persistent Suspicious Program", + "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json deleted file mode 100644 index d0360c8a452b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", - "references": [ - "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", - "severity": "medium", - "tags": [ - "Data Source: Elastic Endgame", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.008", - "name": "/etc/passwd and /etc/shadow", - "reference": "https://attack.mitre.org/techniques/T1003/008/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json new file mode 100644 index 000000000000..70b3fada8479 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Unshadow", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action == \"exec\" and process.args_count \u003e= 2\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json new file mode 100644 index 000000000000..9934f741319b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Unshadow", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json new file mode 100644 index 000000000000..b1d64f3b7e11 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Unshadow", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", + "severity": "medium", + "tags": [ + "Data Source: Elastic Endgame", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json deleted file mode 100644 index 685bb055bce5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when an AWS Route Table has been modified or deleted.", - "false_positives": [ - "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Route Table Modified or Deleted", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", - "references": [ - "https://github.com/easttimor/aws-incident-response#network-routing", - "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e7cd5982-17c8-4959-874c-633acde7d426", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json new file mode 100644 index 000000000000..c3a1075d8420 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been modified or deleted.", + "false_positives": [ + "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Modified or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", + "references": [ + "https://github.com/easttimor/aws-incident-response#network-routing", + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Network Security", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e7cd5982-17c8-4959-874c-633acde7d426_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json new file mode 100644 index 000000000000..5d0108488eb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been modified or deleted.", + "false_positives": [ + "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Modified or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", + "references": [ + "https://github.com/easttimor/aws-incident-response#network-routing", + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e7cd5982-17c8-4959-874c-633acde7d426_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json deleted file mode 100644 index a650aaec9b44..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "logs-system.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Service Control Spawned via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json new file mode 100644 index 000000000000..f59807babadd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-system.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Control Spawned via Script Interpreter", + "note": "", + "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json new file mode 100644 index 000000000000..d0766c15971a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-system.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Control Spawned via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json new file mode 100644 index 000000000000..acf4481386aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-system.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Control Spawned via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json deleted file mode 100644 index 5c7d2323c38a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Installation of Security Support Provider", - "note": "", - "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.005", - "name": "Security Support Provider", - "reference": "https://attack.mitre.org/techniques/T1547/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json new file mode 100644 index 000000000000..11ea184e31f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Security Support Provider", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.005", + "name": "Security Support Provider", + "reference": "https://attack.mitre.org/techniques/T1547/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json new file mode 100644 index 000000000000..78f983e81016 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Security Support Provider", + "note": "", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.005", + "name": "Security Support Provider", + "reference": "https://attack.mitre.org/techniques/T1547/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json deleted file mode 100644 index 51612cbbf5a0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Host Files System Changes via Windows Subsystem for Linux", - "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", - "references": [ - "https://github.com/microsoft/WSL" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json new file mode 100644 index 000000000000..4a76849b2e57 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Host Files System Changes via Windows Subsystem for Linux", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", + "references": [ + "https://github.com/microsoft/WSL" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json new file mode 100644 index 000000000000..2ba898e495e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Host Files System Changes via Windows Subsystem for Linux", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", + "references": [ + "https://github.com/microsoft/WSL" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json deleted file mode 100644 index 9f6a7643c863..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", - "from": "now-9m", - "history_window_start": "now-14d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious System Commands Executed by Previously Unknown Executable", - "new_terms_fields": [ - "process.executable" - ], - "query": "host.os.type : \"linux\" and event.category : \"process\" and \nevent.action : (\"exec\" or \"exec_event\" or \"fork\" or \"fork_event\") and \nprocess.executable : (\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*\n ) and process.args : (\n \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"ifconfig\" or \"netstat\" or \"route\" or \n \"ps\" or \"pwd\" or \"ls\"\n ) and not process.name : (\n \"sudo\" or \"which\" or \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"netstat\" or \"ps\" or \n \"pwd\" or \"ls\" or \"apt\" or \"dpkg\" or \"yum\" or \"rpm\" or \"dnf\" or \"dockerd\" or \"snapd\" or \"snap\"\n )\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json new file mode 100644 index 000000000000..772be774c50d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious System Commands Executed by Previously Unknown Executable", + "new_terms_fields": [ + "process.executable" + ], + "query": "host.os.type : \"linux\" and event.category : \"process\" and \nevent.action : (\"exec\" or \"exec_event\" or \"fork\" or \"fork_event\") and \nprocess.executable : (\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*\n ) and process.args : (\n \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"ifconfig\" or \"netstat\" or \"route\" or \n \"ps\" or \"pwd\" or \"ls\"\n ) and not process.name : (\n \"sudo\" or \"which\" or \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"netstat\" or \"ps\" or \n \"pwd\" or \"ls\" or \"apt\" or \"dpkg\" or \"yum\" or \"rpm\" or \"dnf\" or \"dockerd\" or \"snapd\" or \"snap\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json deleted file mode 100644 index 2b1d3fd923a2..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "@BenB196", - "Austin Songer" - ], - "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", - "false_positives": [ - "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Okta User Password Reset or Unlock Attempts", - "note": "", - "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "threshold": { - "field": [ - "okta.actor.alternate_id" - ], - "value": 5 - }, - "type": "threshold", - "version": 103 - }, - "id": "e90ee3af-45fc-432e-a850-4a58cf14a457", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json new file mode 100644 index 000000000000..0a4411204f49 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", + "false_positives": [ + "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Okta User Password Reset or Unlock Attempts", + "note": "", + "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 5 + }, + "type": "threshold", + "version": 102 + }, + "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json new file mode 100644 index 000000000000..ffad6614c581 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", + "false_positives": [ + "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Okta User Password Reset or Unlock Attempts", + "note": "", + "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 5 + }, + "type": "threshold", + "version": 103 + }, + "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json deleted file mode 100644 index 4f1c221343e3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", - "false_positives": [ - "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS EC2 VM Export Failure", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", - "references": [ - "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1005", - "name": "Data from Local System", - "reference": "https://attack.mitre.org/techniques/T1005/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json new file mode 100644 index 000000000000..2a0fe1c063aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", + "false_positives": [ + "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 VM Export Failure", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", + "references": [ + "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json new file mode 100644 index 000000000000..8611ee7e5dc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", + "false_positives": [ + "VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS EC2 VM Export Failure", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", + "references": [ + "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json deleted file mode 100644 index f3cb76b48f44..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1211", - "name": "Exploitation for Defense Evasion", - "reference": "https://attack.mitre.org/techniques/T1211/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json new file mode 100644 index 000000000000..0f0dd9f6e205 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json new file mode 100644 index 000000000000..264be565ca61 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json new file mode 100644 index 000000000000..0024671844e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json deleted file mode 100644 index 240f46ff43cc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential LSA Authentication Package Abuse", - "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.002", - "name": "Authentication Package", - "reference": "https://attack.mitre.org/techniques/T1547/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json new file mode 100644 index 000000000000..7a40986c66f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSA Authentication Package Abuse", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json new file mode 100644 index 000000000000..5962dbab3118 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSA Authentication Package Abuse", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json deleted file mode 100644 index 24576d850882..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Webhook Created", - "note": "", - "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Persistence" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json new file mode 100644 index 000000000000..bfc54db430d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Webhook Created", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102.json b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102.json new file mode 100644 index 000000000000..b8bb5f685d36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102.json @@ -0,0 +1,63 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Webhook Created", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json deleted file mode 100644 index 736fcc05d221..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", - "from": "now-20m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS IAM Brute Force of Assume Role Policy", - "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", - "references": [ - "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", - "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.error_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [], - "value": 25 - }, - "type": "threshold", - "version": 106 - }, - "id": "ea248a02-bc47-4043-8e94-2885b19b2636", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json new file mode 100644 index 000000000000..b48e55f48fff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Brute Force of Assume Role Policy", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", + "references": [ + "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", + "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [], + "value": 25 + }, + "type": "threshold", + "version": 105 + }, + "id": "ea248a02-bc47-4043-8e94-2885b19b2636_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json new file mode 100644 index 000000000000..fe01a951f1ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS IAM Brute Force of Assume Role Policy", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", + "references": [ + "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", + "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [], + "value": 25 + }, + "type": "threshold", + "version": 106 + }, + "id": "ea248a02-bc47-4043-8e94-2885b19b2636_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json deleted file mode 100644 index 6c7329190415..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 75, - "author": [ - "Elastic" - ], - "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", - "false_positives": [ - "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." - ], - "from": "now-30m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": "high_count_network_denies", - "name": "Spike in Firewall Denies", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "risk_score": 21, - "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", - "severity": "low", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning" - ], - "type": "machine_learning", - "version": 102 - }, - "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json new file mode 100644 index 000000000000..d71a3b7af949 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_denies", + "name": "Spike in Firewall Denies", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", + "severity": "low", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "ML", + "Machine Learning" + ], + "type": "machine_learning", + "version": 101 + }, + "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json new file mode 100644 index 000000000000..add2344248ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", + "false_positives": [ + "A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert." + ], + "from": "now-30m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "high_count_network_denies", + "name": "Spike in Firewall Denies", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" + ], + "risk_score": 21, + "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", + "severity": "low", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning" + ], + "type": "machine_learning", + "version": 102 + }, + "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json deleted file mode 100644 index e2a6249f62ef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", - "index": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "External Alerts", - "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", - "required_fields": [ - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - } - ], - "risk_score": 47, - "risk_score_mapping": [ - { - "field": "event.risk_score", - "operator": "equals", - "value": "" - } - ], - "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", - "rule_name_override": "message", - "severity": "medium", - "severity_mapping": [ - { - "field": "event.severity", - "operator": "equals", - "severity": "low", - "value": "21" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "medium", - "value": "47" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "high", - "value": "73" - }, - { - "field": "event.severity", - "operator": "equals", - "severity": "critical", - "value": "99" - } - ], - "tags": [ - "OS: Windows", - "Data Source: APM", - "OS: macOS", - "OS: Linux" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json new file mode 100644 index 000000000000..1a6156afe407 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", + "index": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "External Alerts", + "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Elastic", + "Network", + "Windows", + "APM", + "macOS", + "Linux" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json new file mode 100644 index 000000000000..eab7f6e490d4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", + "index": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "External Alerts", + "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "rule_name_override": "message", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "OS: Windows", + "Data Source: APM", + "OS: macOS", + "OS: Linux" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json deleted file mode 100644 index baeaccc18b4a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "PowerShell Kerberos Ticket Request", - "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n", - "references": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - }, - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/", - "subtechnique": [ - { - "id": "T1558.003", - "name": "Kerberoasting", - "reference": "https://attack.mitre.org/techniques/T1558/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json new file mode 100644 index 000000000000..15353c528b03 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Kerberos Ticket Request", + "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "PowerShell" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json new file mode 100644 index 000000000000..59913ed2f9e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Kerberos Ticket Request", + "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce.json deleted file mode 100644 index 29d85c2e109d..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.", - "false_positives": [ - "False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but typically SSH is used in these scenarios." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Network Connection Attempt by Root", - "note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n", - "query": "sequence by process.entity_id with maxspan=1m\n[network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\",\"/usr/bin/ssh\",\"/usr/bin/sshpass\")]\n[process where host.os.type == \"linux\" and event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\",\"/usr/bin/ssh\",\"/usr/bin/sshpass\")]\n", - "references": [ - "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1095", - "name": "Non-Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1095/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.003", - "name": "Sudo and Sudo Caching", - "reference": "https://attack.mitre.org/techniques/T1548/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_102.json b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_102.json new file mode 100644 index 000000000000..4ed6b45f1ef8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_102.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.", + "false_positives": [ + "False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but typically SSH is used in these scenarios." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection Attempt by Root", + "note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n", + "query": "sequence by process.entity_id with maxspan=1m\n[network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n[process where host.os.type == \"linux\" and event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_103.json b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_103.json new file mode 100644 index 000000000000..262181d1fee0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_103.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.", + "false_positives": [ + "False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but typically SSH is used in these scenarios." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection Attempt by Root", + "note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n", + "query": "sequence by process.entity_id with maxspan=1m\n[network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n[process where host.os.type == \"linux\" and event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_104.json new file mode 100644 index 000000000000..99d557e1fcea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb6a3790-d52d-11ec-8ce9-f661ea17fbce_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.", + "false_positives": [ + "False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but typically SSH is used in these scenarios." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection Attempt by Root", + "note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n", + "query": "sequence by process.entity_id with maxspan=1m\n[network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\",\"/usr/bin/ssh\",\"/usr/bin/sshpass\")]\n[process where host.os.type == \"linux\" and event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\",\"/usr/bin/ssh\",\"/usr/bin/sshpass\")]\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1095", + "name": "Non-Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1095/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json deleted file mode 100644 index 6fdd58afd2c6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Potential Disabling of SELinux", - "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json new file mode 100644 index 000000000000..a17b9f08954f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json new file mode 100644 index 000000000000..400070a69686 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json deleted file mode 100644 index 3ebb7bd66b0f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the password log file from the default Mimikatz memssp module.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Mimikatz Memssp Log File Detected", - "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", - "references": [ - "https://www.elastic.co/security-labs/detect-credential-access" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json new file mode 100644 index 000000000000..d97df084acb1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json new file mode 100644 index 000000000000..c8163290f3b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json deleted file mode 100644 index 63719033b224..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "max_signals": 33, - "name": "IIS HTTP Logging Disabled", - "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.002", - "name": "Disable Windows Event Logging", - "reference": "https://attack.mitre.org/techniques/T1562/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json new file mode 100644 index 000000000000..7524f62af0f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "IIS HTTP Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json new file mode 100644 index 000000000000..76712eb28cc2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "IIS HTTP Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json deleted file mode 100644 index 9bf0287ca437..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Execution from an Unusual Directory", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.005", - "name": "Match Legitimate Name or Location", - "reference": "https://attack.mitre.org/techniques/T1036/005/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json new file mode 100644 index 000000000000..e7226dbeb550 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json new file mode 100644 index 000000000000..1527ca28c718 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json deleted file mode 100644 index 5fd51c4363c0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Gary Blackwell", - "Austin Songer" - ], - "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", - "false_positives": [ - "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Inbox Forwarding Rule Created", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", - "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.ForwardAsAttachmentTo", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.ForwardTo", - "type": "unknown" - }, - { - "ecs": false, - "name": "o365.audit.Parameters.RedirectTo", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Collection" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1114", - "name": "Email Collection", - "reference": "https://attack.mitre.org/techniques/T1114/", - "subtechnique": [ - { - "id": "T1114.003", - "name": "Email Forwarding Rule", - "reference": "https://attack.mitre.org/techniques/T1114/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json new file mode 100644 index 000000000000..1dbff8f07773 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json new file mode 100644 index 000000000000..79f2f4131221 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json deleted file mode 100644 index db58858ddee1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", - "false_positives": [ - "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Instance/Cluster Stoppage", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json new file mode 100644 index 000000000000..3934fe8329d6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", + "false_positives": [ + "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Instance/Cluster Stoppage", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json new file mode 100644 index 000000000000..73097327e816 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", + "false_positives": [ + "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Instance/Cluster Stoppage", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json deleted file mode 100644 index d3cb8f86733a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", - "false_positives": [ - "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Global Administrator Role Addition to PIM User", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.category", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.display_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json new file mode 100644 index 000000000000..3311afe2269c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", + "false_positives": [ + "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Global Administrator Role Addition to PIM User", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json new file mode 100644 index 000000000000..1fa05448b63e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", + "false_positives": [ + "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Global Administrator Role Addition to PIM User", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json deleted file mode 100644 index f136c6a876dc..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "AdFind Command Activity", - "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", - "references": [ - "http://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", - "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1018", - "name": "Remote System Discovery", - "reference": "https://attack.mitre.org/techniques/T1018/" - }, - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.002", - "name": "Domain Groups", - "reference": "https://attack.mitre.org/techniques/T1069/002/" - } - ] - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.002", - "name": "Domain Account", - "reference": "https://attack.mitre.org/techniques/T1087/002/" - } - ] - }, - { - "id": "T1482", - "name": "Domain Trust Discovery", - "reference": "https://attack.mitre.org/techniques/T1482/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json new file mode 100644 index 000000000000..50de1df0bf62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdFind Command Activity", + "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "references": [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json new file mode 100644 index 000000000000..de61db634ca0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdFind Command Activity", + "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "references": [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json deleted file mode 100644 index 8d6723132165..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Deactivate an Okta Application", - "note": "", - "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json new file mode 100644 index 000000000000..459f4dac54b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json new file mode 100644 index 000000000000..2ca451ca3c2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json deleted file mode 100644 index 0664d4080608..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "ImageLoad via Windows Update Auto Update Client", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", - "references": [ - "https://dtm.uk/wuauclt/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", - "timeline_title": "Comprehensive Process Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json new file mode 100644 index 000000000000..30ba3d0baf4d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json new file mode 100644 index 000000000000..7d51b04c8c9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json deleted file mode 100644 index bfaa7c475ebd..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", - "from": "now-9m", - "index": [ - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Linux User Account Creation", - "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/", - "subtechnique": [ - { - "id": "T1136.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1136/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json new file mode 100644 index 000000000000..23192a78b588 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux User Account Creation", + "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json deleted file mode 100644 index 4bc0fb5aeb33..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", - "false_positives": [ - "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Print Spooler Child Process", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", - "references": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.IntegrityLevel", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json new file mode 100644 index 000000000000..91b171baee06 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", + "false_positives": [ + "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Print Spooler Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json new file mode 100644 index 000000000000..91e59c5d6a00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", + "false_positives": [ + "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Print Spooler Child Process", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json deleted file mode 100644 index 05f026bf45b6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privacy Control Bypass via TCCDB Modification", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", - "references": [ - "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", - "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", - "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "eea82229-b002-470e-a9e1-00be38b14d32", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json new file mode 100644 index 000000000000..828f922cfe72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via TCCDB Modification", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", + "references": [ + "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", + "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", + "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "eea82229-b002-470e-a9e1-00be38b14d32_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json new file mode 100644 index 000000000000..316fd5d3bbee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via TCCDB Modification", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", + "references": [ + "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", + "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", + "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "eea82229-b002-470e-a9e1-00be38b14d32_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json deleted file mode 100644 index c9bc6ee421a9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "BPF filter applied using TC", - "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", - "references": [ - "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", - "https://man7.org/linux/man-pages/man8/tc.8.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json new file mode 100644 index 000000000000..93eb324cefa6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "BPF filter applied using TC", + "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", + "references": [ + "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", + "https://man7.org/linux/man-pages/man8/tc.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "TripleCross", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json new file mode 100644 index 000000000000..b67ab7fc4704 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "BPF filter applied using TC", + "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", + "references": [ + "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", + "https://man7.org/linux/man-pages/man8/tc.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json deleted file mode 100644 index d12842f3bb14..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Linux Credential Dumping via Proc Filesystem", - "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", - "references": [ - "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.007", - "name": "Proc Filesystem", - "reference": "https://attack.mitre.org/techniques/T1003/007/" - } - ] - }, - { - "id": "T1212", - "name": "Exploitation for Credential Access", - "reference": "https://attack.mitre.org/techniques/T1212/" - } - ] - } - ], - "type": "eql", - "version": 2 - }, - "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json new file mode 100644 index 000000000000..d8c725498d33 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Proc Filesystem", + "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", + "references": [ + "https://github.com/huntergregal/mimipenguin", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + }, + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json new file mode 100644 index 000000000000..056c5e20fee2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Proc Filesystem", + "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", + "references": [ + "https://github.com/huntergregal/mimipenguin", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + }, + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json deleted file mode 100644 index 1460c1cd57f4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", - "false_positives": [ - "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "logs-system.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Whoami Process Activity", - "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json new file mode 100644 index 000000000000..bc512d57662b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Whoami Process Activity", + "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json new file mode 100644 index 000000000000..45acd3c82635 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Whoami Process Activity", + "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json deleted file mode 100644 index 8fc91aa4016a..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", - "from": "now-60m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "interval": "30m", - "language": "eql", - "license": "Elastic License v2", - "name": "Unusual Child Processes of RunDLL32", - "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.011", - "name": "Rundll32", - "reference": "https://attack.mitre.org/techniques/T1218/011/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json new file mode 100644 index 000000000000..ed2c27d83241 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-60m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "30m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json new file mode 100644 index 000000000000..8e37c1b3fcbe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-60m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "30m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json deleted file mode 100644 index a32ce6693a3e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json +++ /dev/null @@ -1,140 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious HTML File Creation", - "note": "", - "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.entropy", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.size", - "type": "long" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - }, - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/", - "subtechnique": [ - { - "id": "T1027.006", - "name": "HTML Smuggling", - "reference": "https://attack.mitre.org/techniques/T1027/006/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 103 - }, - "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json new file mode 100644 index 000000000000..b70e70b1f4f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious HTML File Creation", + "note": "", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.entropy", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.006", + "name": "HTML Smuggling", + "reference": "https://attack.mitre.org/techniques/T1027/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json new file mode 100644 index 000000000000..a77843ecab8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious HTML File Creation", + "note": "", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.entropy", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.006", + "name": "HTML Smuggling", + "reference": "https://attack.mitre.org/techniques/T1027/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json deleted file mode 100644 index c9776f3f8660..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", - "false_positives": [ - "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Administrator Role Assigned to an Okta User", - "note": "", - "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json new file mode 100644 index 000000000000..8999840f148c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Role Assigned to an Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Okta", + "SecOps", + "Monitoring", + "Continuous Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json new file mode 100644 index 000000000000..83875113a729 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Role Assigned to an Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json deleted file mode 100644 index 2485ea9d59e6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Attempt to Remove File Quarantine Attribute", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", - "references": [ - "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://ss64.com/osx/xattr.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args_count", - "type": "long" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json new file mode 100644 index 000000000000..2aeee8c9e864 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Remove File Quarantine Attribute", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/osx/xattr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json new file mode 100644 index 000000000000..b692ce9faef3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Remove File Quarantine Attribute", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/osx/xattr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json deleted file mode 100644 index 88b415c32574..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.", - "false_positives": [ - "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Alert Suppression Rule Created or Modified", - "note": "", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", - "references": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update" - ], - "related_integrations": [ - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.activitylogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "f0bc081a-2346-4744-a6a4-81514817e888", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json new file mode 100644 index 000000000000..40d480bec14b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.", + "false_positives": [ + "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Alert Suppression Rule Created or Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "f0bc081a-2346-4744-a6a4-81514817e888_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json new file mode 100644 index 000000000000..a868508a4d66 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.", + "false_positives": [ + "Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Alert Suppression Rule Created or Modified", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f0bc081a-2346-4744-a6a4-81514817e888_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json deleted file mode 100644 index 194323a5dbdb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Execution with Explicit Credentials via Scripting", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", - "references": [ - "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", - "https://www.manpagez.com/man/8/security_authtrampoline/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - }, - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.004", - "name": "Elevated Execution with Prompt", - "reference": "https://attack.mitre.org/techniques/T1548/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json new file mode 100644 index 000000000000..986fa8a98516 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution with Explicit Credentials via Scripting", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", + "https://www.manpagez.com/man/8/security_authtrampoline/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.004", + "name": "Elevated Execution with Prompt", + "reference": "https://attack.mitre.org/techniques/T1548/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json new file mode 100644 index 000000000000..1636bd473270 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution with Explicit Credentials via Scripting", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", + "https://www.manpagez.com/man/8/security_authtrampoline/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.004", + "name": "Elevated Execution with Prompt", + "reference": "https://attack.mitre.org/techniques/T1548/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json deleted file mode 100644 index f069d44da0de..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ - "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Remote Code Execution via Web Server", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", - "references": [ - "https://pentestlab.blog/tag/web-shell/", - "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1505", - "name": "Server Software Component", - "reference": "https://attack.mitre.org/techniques/T1505/", - "subtechnique": [ - { - "id": "T1505.003", - "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1505/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 2 - }, - "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json new file mode 100644 index 000000000000..415ece7e6175 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Code Execution via Web Server", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", + "references": [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json new file mode 100644 index 000000000000..a6244d654936 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Code Execution via Web Server", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", + "references": [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json deleted file mode 100644 index b308f794bbfe..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", - "false_positives": [ - "To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", - "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Forwarded Google Workspace Security Alert", - "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", - "query": "event.dataset: google_workspace.alert\n", - "references": [ - "https://workspace.google.com/products/admin/alert-center/" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", - "rule_name_override": "google_workspace.alert.type", - "setup": "", - "severity": "high", - "severity_mapping": [ - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "low", - "value": "LOW" - }, - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "medium", - "value": "MEDIUM" - }, - { - "field": "google_workspace.alert.metadata.severity", - "operator": "equals", - "severity": "high", - "value": "HIGH" - } - ], - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Log Auditing", - "Use Case: Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 2 - }, - "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json new file mode 100644 index 000000000000..75a313fecb9f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", + "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Forwarded Google Workspace Security Alert", + "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset: google_workspace.alert\n", + "references": [ + "https://workspace.google.com/products/admin/alert-center/" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", + "rule_name_override": "google_workspace.alert.type", + "setup": "", + "severity": "high", + "severity_mapping": [ + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "low", + "value": "LOW" + }, + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "medium", + "value": "MEDIUM" + }, + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "high", + "value": "HIGH" + } + ], + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Log Auditing", + "Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json new file mode 100644 index 000000000000..02d3f623de52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", + "false_positives": [ + "To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", + "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Forwarded Google Workspace Security Alert", + "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset: google_workspace.alert\n", + "references": [ + "https://workspace.google.com/products/admin/alert-center/" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", + "rule_name_override": "google_workspace.alert.type", + "setup": "", + "severity": "high", + "severity_mapping": [ + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "low", + "value": "LOW" + }, + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "medium", + "value": "MEDIUM" + }, + { + "field": "google_workspace.alert.metadata.severity", + "operator": "equals", + "severity": "high", + "value": "HIGH" + } + ], + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Log Auditing", + "Use Case: Threat Detection" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json deleted file mode 100644 index 9f50eadb7686..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Creation of Hidden Login Item via Apple Script", - "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.002", - "name": "AppleScript", - "reference": "https://attack.mitre.org/techniques/T1059/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1647", - "name": "Plist File Modification", - "reference": "https://attack.mitre.org/techniques/T1647/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json new file mode 100644 index 000000000000..83d45fbf63ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Login Item via Apple Script", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Persistence", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json new file mode 100644 index 000000000000..0910bf1cbdfb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Login Item via Apple Script", + "note": "", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json deleted file mode 100644 index 86db88fac6ab..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", - "false_positives": [ - "Updates to approved and trusted SSH executables can trigger this rule." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential OpenSSH Backdoor Logging Activity", - "note": "", - "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", - "references": [ - "https://github.com/eset/malware-ioc/tree/master/sshdoor", - "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1554", - "name": "Compromise Client Software Binary", - "reference": "https://attack.mitre.org/techniques/T1554/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json new file mode 100644 index 000000000000..868ac7a53fb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Credential Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json new file mode 100644 index 000000000000..62517ef21608 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "note": "", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json deleted file mode 100644 index 4862dc506a1e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "SIP Provider Modification", - "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", - "references": [ - "https://github.com/mattifestation/PoCSubjectInterfacePackage" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1553", - "name": "Subvert Trust Controls", - "reference": "https://attack.mitre.org/techniques/T1553/", - "subtechnique": [ - { - "id": "T1553.003", - "name": "SIP and Trust Provider Hijacking", - "reference": "https://attack.mitre.org/techniques/T1553/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json new file mode 100644 index 000000000000..6db41d0376cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SIP Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json new file mode 100644 index 000000000000..2ea0b4b2f35b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SIP Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json deleted file mode 100644 index cab94097d486..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", - "references": [ - "https://github.com/outflanknl/Dumpert", - "https://github.com/hoangprod/AndrewSpecial" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - } - ], - "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "timeline_title": "Comprehensive File Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json new file mode 100644 index 000000000000..765420ada352 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json new file mode 100644 index 000000000000..dff76f9bd6cc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json new file mode 100644 index 000000000000..2c9d80546d3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json deleted file mode 100644 index 2a34e56f1db7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", - "false_positives": [ - "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS RDS Instance Creation", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", - "references": [ - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Persistence" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json new file mode 100644 index 000000000000..08790ae1b878 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", + "false_positives": [ + "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Instance Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json new file mode 100644 index 000000000000..48ce6e70a8ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", + "false_positives": [ + "A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS RDS Instance Creation", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json deleted file mode 100644 index d94d9af9cfe5..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", - "false_positives": [ - "Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "eql", - "license": "Elastic License v2", - "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", - "references": [ - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://developers.google.com/apps-script/guides/bound", - "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links" - ], - "related_integrations": [ - { - "package": "google_workspace", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "google_workspace.drive.copy_type", - "type": "unknown" - }, - { - "ecs": false, - "name": "google_workspace.drive.file.type", - "type": "unknown" - }, - { - "ecs": false, - "name": "google_workspace.drive.owner_is_team_drive", - "type": "unknown" - }, - { - "ecs": false, - "name": "google_workspace.token.client.id", - "type": "unknown" - }, - { - "ecs": true, - "name": "source.user.email", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", - "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Initial Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 - }, - "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json new file mode 100644 index 000000000000..b98034e0622b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive.", + "false_positives": [ + "Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Resource Copied from External Drive", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.copy_type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.file.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.owner_is_team_drive", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json new file mode 100644 index 000000000000..d422c79a3974 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", + "false_positives": [ + "Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + }, + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.copy_type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.file.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.owner_is_team_drive", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json new file mode 100644 index 000000000000..312f3fb6ae27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", + "false_positives": [ + "Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.copy_type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.file.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.owner_is_team_drive", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json deleted file mode 100644 index 7d25a59ef2e4..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.direction", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - } - ], - "risk_score": 47, - "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "type": "eql", - "version": 106 - }, - "id": "f3475224-b179-4f78-8877-c2bd64c26b88", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json new file mode 100644 index 000000000000..6153a614b9b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json new file mode 100644 index 000000000000..f17957c8a9d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json new file mode 100644 index 000000000000..c3bb17a2ea4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json new file mode 100644 index 000000000000..6833f7b3fdb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json deleted file mode 100644 index 1142d48502bb..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", - "false_positives": [ - "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sudo Heap-Based Buffer Overflow Attempt", - "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", - "references": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", - "https://www.sudo.ws/alerts/unescape_overflow.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "threshold": { - "field": [ - "host.hostname" - ], - "value": 100 - }, - "type": "threshold", - "version": 102 - }, - "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json new file mode 100644 index 000000000000..bd8bda9bee09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", + "false_positives": [ + "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudo Heap-Based Buffer Overflow Attempt", + "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", + "references": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", + "https://www.sudo.ws/alerts/unescape_overflow.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "threshold": { + "field": [ + "host.hostname" + ], + "value": 100 + }, + "type": "threshold", + "version": 101 + }, + "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json new file mode 100644 index 000000000000..0d4826bfee43 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", + "false_positives": [ + "This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sudo Heap-Based Buffer Overflow Attempt", + "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", + "references": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", + "https://www.sudo.ws/alerts/unescape_overflow.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "threshold": { + "field": [ + "host.hostname" + ], + "value": 100 + }, + "type": "threshold", + "version": 102 + }, + "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json deleted file mode 100644 index bf5386848afa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", - "from": "now-65m", - "index": [ - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Threat Intel URL Indicator Match", - "query": "url.full:* or url.domain:*\n", - "references": [ - "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", - "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" - ], - "required_fields": [ - { - "ecs": true, - "name": "url.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "url.full", - "type": "wildcard" - } - ], - "risk_score": 99, - "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "severity": "critical", - "tags": [ - "OS: Windows", - "Data Source: Elastic Endgame", - "Rule Type: Indicator Match" - ], - "threat_filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.category", - "negate": false, - "params": { - "query": "threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.category": "threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "disabled": false, - "key": "event.type", - "negate": false, - "params": { - "query": "indicator" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.type": "indicator" - } - } - } - ], - "threat_index": [ - "filebeat-*", - "logs-ti_*" - ], - "threat_indicator_path": "threat.indicator", - "threat_language": "kuery", - "threat_mapping": [ - { - "entries": [ - { - "field": "url.full", - "type": "mapping", - "value": "threat.indicator.url.full" - } - ] - }, - { - "entries": [ - { - "field": "url.domain", - "type": "mapping", - "value": "threat.indicator.url.domain" - } - ] - } - ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:\"true\"", - "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", - "timeline_title": "Generic Threat Match Timeline", - "type": "threat_match", - "version": 1 - }, - "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json new file mode 100644 index 000000000000..fa9b0b5c6190 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel URL Indicator Match", + "query": "url.full:* or url.domain:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "url.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "url.domain", + "type": "mapping", + "value": "threat.indicator.url.domain" + } + ] + } + ], + "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "type": "threat_match", + "version": 1 + }, + "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json deleted file mode 100644 index b6e3a055f0e6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistence via Microsoft Office AddIns", - "note": "", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", - "references": [ - "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1137", - "name": "Office Application Startup", - "reference": "https://attack.mitre.org/techniques/T1137/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json new file mode 100644 index 000000000000..22fd9d6c64e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Office AddIns", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", + "references": [ + "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json new file mode 100644 index 000000000000..82b7709e6731 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Office AddIns", + "note": "", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", + "references": [ + "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json deleted file mode 100644 index 333dcc9bfabe..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", - "references": [ - "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", - "https://twitter.com/_nwodtuhs/status/1454049485080907776", - "https://www.thehacker.recipes/ad/movement/kerberos/delegations", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.PrivilegeList", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 107 - }, - "id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json new file mode 100644 index 000000000000..6c369fe18d92 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Authorization Policy Change\" and host.os.type:windows and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", + "references": [ + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", + "https://twitter.com/_nwodtuhs/status/1454049485080907776", + "https://www.thehacker.recipes/ad/movement/kerberos/delegations", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json new file mode 100644 index 000000000000..9fb5f43e4a1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", + "references": [ + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", + "https://twitter.com/_nwodtuhs/status/1454049485080907776", + "https://www.thehacker.recipes/ad/movement/kerberos/delegations", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json new file mode 100644 index 000000000000..fdcc376ffdcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", + "references": [ + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", + "https://twitter.com/_nwodtuhs/status/1454049485080907776", + "https://www.thehacker.recipes/ad/movement/kerberos/delegations", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json deleted file mode 100644 index f489fd6ddfaa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Data Encryption via OpenSSL Utility", - "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", - "references": [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1486", - "name": "Data Encrypted for Impact", - "reference": "https://attack.mitre.org/techniques/T1486/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json new file mode 100644 index 000000000000..211011aa49c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Data Encryption via OpenSSL Utility", + "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", + "references": [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json deleted file mode 100644 index d8028aa52c85..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Script Executing PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.001", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1566/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json new file mode 100644 index 000000000000..cfd8f06dc5c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Executing PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json new file mode 100644 index 000000000000..d82419516a18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Executing PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json deleted file mode 100644 index c28400998c91..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Masquerading Space After Filename", - "note": "", - "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", - "references": [ - "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1036", - "name": "Masquerading", - "reference": "https://attack.mitre.org/techniques/T1036/", - "subtechnique": [ - { - "id": "T1036.006", - "name": "Space after Filename", - "reference": "https://attack.mitre.org/techniques/T1036/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json new file mode 100644 index 000000000000..825125197746 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Masquerading Space After Filename", + "note": "", + "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", + "references": [ + "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.006", + "name": "Space after Filename", + "reference": "https://attack.mitre.org/techniques/T1036/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json new file mode 100644 index 000000000000..e69cae56b8ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Masquerading Space After Filename", + "note": "", + "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", + "references": [ + "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.006", + "name": "Space after Filename", + "reference": "https://attack.mitre.org/techniques/T1036/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json deleted file mode 100644 index 9164ac99e58b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", - "false_positives": [ - "Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Windows Firewall Disabled via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "http://woshub.com/manage-windows-firewall-powershell/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.004", - "name": "Disable or Modify System Firewall", - "reference": "https://attack.mitre.org/techniques/T1562/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json new file mode 100644 index 000000000000..f4836e101b8b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", + "false_positives": [ + "Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Firewall Disabled via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json new file mode 100644 index 000000000000..bcc257e6db08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", + "false_positives": [ + "Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Firewall Disabled via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json deleted file mode 100644 index 5d0a242bba57..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Delete Volume USN Journal with Fsutil", - "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1070", - "name": "Indicator Removal", - "reference": "https://attack.mitre.org/techniques/T1070/", - "subtechnique": [ - { - "id": "T1070.004", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1070/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json new file mode 100644 index 000000000000..6f169fb9bdab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Delete Volume USN Journal with Fsutil", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json new file mode 100644 index 000000000000..f65428f8cead --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Delete Volume USN Journal with Fsutil", + "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json new file mode 100644 index 000000000000..852b64804ea4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Delete Volume USN Journal with Fsutil", + "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json deleted file mode 100644 index a3e270532cef..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", - "false_positives": [ - "Authorized SoftwareUpdate Settings Changes" - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SoftwareUpdate Preferences Modification", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", - "references": [ - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json new file mode 100644 index 000000000000..0954c06c7da5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", + "false_positives": [ + "Authorized SoftwareUpdate Settings Changes" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SoftwareUpdate Preferences Modification", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", + "references": [ + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json new file mode 100644 index 000000000000..baf74cc96532 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", + "false_positives": [ + "Authorized SoftwareUpdate Settings Changes" + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SoftwareUpdate Preferences Modification", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", + "references": [ + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json deleted file mode 100644 index 276d674beb50..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.", - "false_positives": [ - "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Service Principal Credentials Added", - "note": "", - "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", - "references": [ - "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", - "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Impact" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1496", - "name": "Resource Hijacking", - "reference": "https://attack.mitre.org/techniques/T1496/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "f766ffaf-9568-4909-b734-75d19b35cbf4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json new file mode 100644 index 000000000000..0a62b2096828 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.", + "false_positives": [ + "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Service Principal Credentials Added", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", + "references": [ + "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1496", + "name": "Resource Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "f766ffaf-9568-4909-b734-75d19b35cbf4_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json new file mode 100644 index 000000000000..c69ce6c84a71 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.", + "false_positives": [ + "Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Service Principal Credentials Added", + "note": "", + "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", + "references": [ + "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1496", + "name": "Resource Hijacking", + "reference": "https://attack.mitre.org/techniques/T1496/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f766ffaf-9568-4909-b734-75d19b35cbf4_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json deleted file mode 100644 index 44f47c26080e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS CloudWatch Alarm Deletion", - "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", - "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 106 - }, - "id": "f772ec8a-e182-483c-91d2-72058f76a44c", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json new file mode 100644 index 000000000000..69ca3dd3f21b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Alarm Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "f772ec8a-e182-483c-91d2-72058f76a44c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json new file mode 100644 index 000000000000..e9f1dbd27d9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudWatch Alarm Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "f772ec8a-e182-483c-91d2-72058f76a44c_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json deleted file mode 100644 index b5827462ab0e..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.domain", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1547", - "name": "Boot or Logon Autostart Execution", - "reference": "https://attack.mitre.org/techniques/T1547/", - "subtechnique": [ - { - "id": "T1547.001", - "name": "Registry Run Keys / Startup Folder", - "reference": "https://attack.mitre.org/techniques/T1547/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json new file mode 100644 index 000000000000..72187c19b453 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json new file mode 100644 index 000000000000..5d2547b84972 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json new file mode 100644 index 000000000000..3193d0df9958 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json deleted file mode 100644 index e5d95ec1f1f6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", - "references": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 103 - }, - "id": "f81ee52c-297e-46d9-9205-07e66931df26", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json new file mode 100644 index 000000000000..69a03f6ebc6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "f81ee52c-297e-46d9-9205-07e66931df26_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json new file mode 100644 index 000000000000..fe6eb541e547 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "f81ee52c-297e-46d9-9205-07e66931df26_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json deleted file mode 100644 index ca8143811dd1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", - "false_positives": [ - "Trusted system or Adobe Acrobat Related processes." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", - "references": [ - "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json new file mode 100644 index 000000000000..ce6df1918046 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", + "false_positives": [ + "Trusted system or Adobe Acrobat Related processes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", + "references": [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation", + "CVE-2020-9615", + "CVE-2020-9614", + "CVE-2020-9613" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json new file mode 100644 index 000000000000..0be498041ce2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", + "false_positives": [ + "Trusted system or Adobe Acrobat Related processes." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", + "references": [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json deleted file mode 100644 index 6c5cf6b698a1..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Modification of AmsiEnable Registry Key", - "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", - "references": [ - "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", - "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json new file mode 100644 index 000000000000..63862545e50b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of AmsiEnable Registry Key", + "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", + "references": [ + "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json new file mode 100644 index 000000000000..013b80876a07 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of AmsiEnable Registry Key", + "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", + "references": [ + "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json deleted file mode 100644 index e18882f55fed..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 25, - "author": [ - "Elastic" - ], - "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", - "false_positives": [ - "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_linux_network_configuration_discovery" - ], - "name": "Unusual Linux Network Configuration Discovery", - "risk_score": 21, - "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1016", - "name": "System Network Configuration Discovery", - "reference": "https://attack.mitre.org/techniques/T1016/" - } - ] - } - ], - "type": "machine_learning", - "version": 103 - }, - "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json new file mode 100644 index 000000000000..1fe5a462a5cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_configuration_discovery" + ], + "name": "Unusual Linux System Network Configuration Discovery", + "risk_score": 21, + "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "type": "machine_learning", + "version": 101 + }, + "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json new file mode 100644 index 000000000000..9e4d5b264a78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_configuration_discovery" + ], + "name": "Unusual Linux Network Configuration Discovery", + "risk_score": 21, + "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "ML", + "Machine Learning", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "type": "machine_learning", + "version": 102 + }, + "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json new file mode 100644 index 000000000000..9bda6139a738 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "anomaly_threshold": 25, + "author": [ + "Elastic" + ], + "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "false_positives": [ + "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." + ], + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": [ + "v3_linux_network_configuration_discovery" + ], + "name": "Unusual Linux Network Configuration Discovery", + "risk_score": 21, + "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "type": "machine_learning", + "version": 103 + }, + "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json deleted file mode 100644 index 52a2847801d7..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Ingress Transfer via Windows BITS", - "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", - "references": [ - "https://attack.mitre.org/techniques/T1197/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": false, - "name": "file.Ext.header_bytes", - "type": "unknown" - }, - { - "ecs": false, - "name": "file.Ext.original.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1197", - "name": "BITS Jobs", - "reference": "https://attack.mitre.org/techniques/T1197/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "f95972d3-c23b-463b-89a8-796b3f369b49", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json new file mode 100644 index 000000000000..d864d3074fe0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Ingress Transfer via Windows BITS", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", + "references": [ + "https://attack.mitre.org/techniques/T1197/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "f95972d3-c23b-463b-89a8-796b3f369b49_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json new file mode 100644 index 000000000000..d84e4b021c35 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Ingress Transfer via Windows BITS", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", + "references": [ + "https://attack.mitre.org/techniques/T1197/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f95972d3-c23b-463b-89a8-796b3f369b49_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json deleted file mode 100644 index b6c84d345096..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 7 - }, - "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json new file mode 100644 index 000000000000..e1de7a5a7591 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Account Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json new file mode 100644 index 000000000000..944018e3cc5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Account Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json new file mode 100644 index 000000000000..e36f773579ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Account Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json new file mode 100644 index 000000000000..8c4b35c5380b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Account Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json deleted file mode 100644 index 1ff8ae8384b9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", - "false_positives": [ - "A user may report suspicious activity on their Okta account in error." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Activity Reported by Okta User", - "note": "", - "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "f994964f-6fce-4d75-8e79-e16ccc412588", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json new file mode 100644 index 000000000000..c49a03be7d08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", + "false_positives": [ + "A user may report suspicious activity on their Okta account in error." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Activity Reported by Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "f994964f-6fce-4d75-8e79-e16ccc412588_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json new file mode 100644 index 000000000000..bef704e2cbae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", + "false_positives": [ + "A user may report suspicious activity on their Okta account in error." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Activity Reported by Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "f994964f-6fce-4d75-8e79-e16ccc412588_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json deleted file mode 100644 index f9cd0fa344a8..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Copy to a Hidden Share", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.002", - "name": "SMB/Windows Admin Shares", - "reference": "https://attack.mitre.org/techniques/T1021/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json new file mode 100644 index 000000000000..95c04755a861 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy to a Hidden Share", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json new file mode 100644 index 000000000000..649ec7975856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy to a Hidden Share", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json deleted file mode 100644 index d08c7005788b..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", - "from": "now-9m", - "index": [ - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential External Linux SSH Brute Force Detected", - "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", - "related_integrations": [ - { - "package": "system", - "version": "^1.6.4" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 3 - }, - "id": "fa210b61-b627-4e5e-86f4-17e8270656ab", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json new file mode 100644 index 000000000000..e4ef3b492d4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential External Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json new file mode 100644 index 000000000000..826650603b5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential External Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json new file mode 100644 index 000000000000..996bca81c4c3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential External Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json deleted file mode 100644 index 524c19e2ad54..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Reverse Shell via Suspicious Binary", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", - "references": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "type": "eql", - "version": 1 - }, - "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json new file mode 100644 index 000000000000..958158adb82b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Suspicious Binary", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json deleted file mode 100644 index cebf65dd6e9f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", - "references": [ - "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" - ], - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - }, - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - }, - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.001", - "name": "DLL Search Order Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "fa488440-04cc-41d7-9279-539387bf2a17", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json new file mode 100644 index 000000000000..3100d1c72daf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json new file mode 100644 index 000000000000..e803d354910d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json new file mode 100644 index 000000000000..daa2327e1459 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json new file mode 100644 index 000000000000..3b0ee4072951 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json deleted file mode 100644 index e1c831229ce6..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", - "false_positives": [ - "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Network Connection via Registration Utility", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.protocol", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.token.integrity_level_name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.entity_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.IntegrityLevel", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "System Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/", - "subtechnique": [ - { - "id": "T1218.010", - "name": "Regsvr32", - "reference": "https://attack.mitre.org/techniques/T1218/010/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 104 - }, - "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json new file mode 100644 index 000000000000..30d54cd7764a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Registration Utility", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 102 + }, + "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json new file mode 100644 index 000000000000..b2c319607596 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Registration Utility", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 103 + }, + "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json new file mode 100644 index 000000000000..76981462f8df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Registration Utility", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json deleted file mode 100644 index 34635c640767..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", - "false_positives": [ - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "from": "now-60m", - "index": [ - "filebeat-*", - "logs-aws*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS Configuration Recorder Stopped", - "note": "", - "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", - "references": [ - "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", - "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", - "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 103 - }, - "id": "fbd44836-0d69-4004-a0b4-03c20370c435", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json new file mode 100644 index 000000000000..378fb960f633 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Configuration Recorder Stopped", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "AWS", + "Amazon Web Services", + "Continuous Monitoring", + "SecOps", + "Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "fbd44836-0d69-4004-a0b4-03c20370c435_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json new file mode 100644 index 000000000000..89489a83fa4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Configuration Recorder Stopped", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", + "references": [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "fbd44836-0d69-4004-a0b4-03c20370c435_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json deleted file mode 100644 index 0a6bb4d76d8f..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", - "references": [ - "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 104 - }, - "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json new file mode 100644 index 000000000000..642c77983937 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "references": [ + "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json new file mode 100644 index 000000000000..124ff6068f33 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "references": [ + "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json deleted file mode 100644 index 62d1f509ffc9..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Application Shimming via Sdbinst", - "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1546", - "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/", - "subtechnique": [ - { - "id": "T1546.011", - "name": "Application Shimming", - "reference": "https://attack.mitre.org/techniques/T1546/011/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json new file mode 100644 index 000000000000..9c9fe32b9be6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json new file mode 100644 index 000000000000..0bf77294cc81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json deleted file mode 100644 index a787a43af9d0..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic", - "Austin Songer" - ], - "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious CertUtil Commands", - "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", - "references": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", - "https://twitter.com/egre55/status/1087685529016193025", - "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", - "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - } - ], - "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", - "timeline_title": "Comprehensive Process Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json new file mode 100644 index 000000000000..63929f6096ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CertUtil Commands", + "note": "", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", + "references": [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", + "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json new file mode 100644 index 000000000000..6e798fc928e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CertUtil Commands", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", + "references": [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", + "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json new file mode 100644 index 000000000000..6dff6f76316a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CertUtil Commands", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", + "references": [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", + "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json deleted file mode 100644 index b0dbefb8f9aa..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", - "references": [ - "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", - "timeline_title": "Comprehensive Process Timeline", - "timestamp_override": "event.ingested", - "type": "eql", - "version": 106 - }, - "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json new file mode 100644 index 000000000000..158a027580b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json new file mode 100644 index 000000000000..9828ceb6e496 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json new file mode 100644 index 000000000000..7f5f627b15b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json deleted file mode 100644 index d169102fd412..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Austin Songer" - ], - "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", - "false_positives": [ - "Legitimate Windows Defender configuration changes" - ], - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Microsoft Windows Defender Tampering", - "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", - "references": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", - "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", - "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json new file mode 100644 index 000000000000..352ee20851c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", + "false_positives": [ + "Legitimate Windows Defender configuration changes" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Windows Defender Tampering", + "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", + "references": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", + "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json new file mode 100644 index 000000000000..d4352b90964b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", + "false_positives": [ + "Legitimate Windows Defender configuration changes" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Windows Defender Tampering", + "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", + "references": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", + "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json deleted file mode 100644 index 83f1bb11123c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-windows.*", - "endgame-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "MS Office Macro Security Registry Modifications", - "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", - "related_integrations": [ - { - "package": "windows", - "version": "^1.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "registry.data.strings", - "type": "wildcard" - }, - { - "ecs": true, - "name": "registry.path", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1112", - "name": "Modify Registry", - "reference": "https://attack.mitre.org/techniques/T1112/" - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 105 - }, - "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json new file mode 100644 index 000000000000..38830be6d73f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MS Office Macro Security Registry Modifications", + "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 104 + }, + "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json new file mode 100644 index 000000000000..650d151d8c33 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MS Office Macro Security Registry Modifications", + "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json deleted file mode 100644 index c8038f13ac2c..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", - "false_positives": [ - "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected." - ], - "from": "now-9m", - "index": [ - "packetbeat-*", - "logs-network_traffic.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", - "query": "event.dataset: (network_traffic.http or network_traffic.tls) and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://www.justice.gov/opa/press-release/file/1084361/download", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "url.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "url.path", - "type": "wildcard" - } - ], - "risk_score": 47, - "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", - "severity": "medium", - "tags": [ - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Domain: Endpoint" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Ingress Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json new file mode 100644 index 000000000000..cf0f8da1de24 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", + "false_positives": [ + "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.category:(network or network_traffic) and network.protocol:http and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.justice.gov/opa/press-release/file/1084361/download", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", + "severity": "medium", + "tags": [ + "Elastic", + "Network", + "Threat Detection", + "Command and Control", + "Host" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json new file mode 100644 index 000000000000..72b552ff0265 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", + "false_positives": [ + "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", + "query": "event.dataset: (network_traffic.http or network_traffic.tls) and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.justice.gov/opa/press-release/file/1084361/download", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", + "severity": "medium", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json deleted file mode 100644 index d7e13ac12822..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Cron Job Created or Changed by Previously Unknown Process", - "new_terms_fields": [ - "file.path", - "process.name" - ], - "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", - "references": [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.extension", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1053", - "name": "Scheduled Task/Job", - "reference": "https://attack.mitre.org/techniques/T1053/", - "subtechnique": [ - { - "id": "T1053.003", - "name": "Cron", - "reference": "https://attack.mitre.org/techniques/T1053/003/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json new file mode 100644 index 000000000000..2489fd770a95 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Cron Job Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Execution", + "Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json new file mode 100644 index 000000000000..ef11d47855de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Cron Job Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "file.path", + "process.name" + ], + "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json new file mode 100644 index 000000000000..8fbb61a3225b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Process Access via Windows API", + "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\"\n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Target.process.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.api.name", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json new file mode 100644 index 000000000000..f1156fa06ea4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Process Access via Windows API", + "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\"\n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Target.process.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.api.name", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json deleted file mode 100644 index 89ad47111db3..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", - "false_positives": [ - "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Microsoft 365 Exchange Transport Rule Creation", - "note": "", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", - "references": [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", - "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^1.3.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Exfiltration" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [ - { - "id": "T1537", - "name": "Transfer Data to Cloud Account", - "reference": "https://attack.mitre.org/techniques/T1537/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 102 - }, - "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json new file mode 100644 index 000000000000..da4ac0419e35 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 101 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json new file mode 100644 index 000000000000..153692938d4f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 102 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json deleted file mode 100644 index 0d65d6d41a83..000000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", - "false_positives": [ - "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Firewall Rule Deletion", - "note": "", - "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", - "references": [ - "https://cloud.google.com/vpc/docs/firewalls", - "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" - ], - "related_integrations": [ - { - "integration": "audit", - "package": "gcp", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", - "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 104 - }, - "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json new file mode 100644 index 000000000000..4149063618e4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", + "false_positives": [ + "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Google Cloud Platform", + "Continuous Monitoring", + "SecOps", + "Configuration Audit" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json new file mode 100644 index 000000000000..0ebf7cf18f8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", + "false_positives": [ + "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Firewall Rule Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", + "references": [ + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "integration": "audit", + "package": "gcp", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 1f8c2dac13d7..599faa245767 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -1,7 +1,7 @@ categories: - security conditions: - kibana.version: ^8.6.0 + kibana.version: ^8.7.0 description: Prebuilt detection rules for Elastic Security format_version: 1.0.0 icons: @@ -12,7 +12,7 @@ license: basic name: security_detection_engine owner: github: elastic/protections -release: ga +release: beta title: Prebuilt Security Detection Rules type: integration -version: 8.6.9 +version: 8.7.9-beta.1 From 85bb39b94902ce12c497acc7934165db67684285 Mon Sep 17 00:00:00 2001 From: Dennis Perto Date: Wed, 12 Jul 2023 23:51:01 +0200 Subject: [PATCH 2/4] [cisco_ftd] Change source.bytes and destination.bytes to long (#6929) --- packages/cisco_ftd/changelog.yml | 5 + .../pipeline/test-security-connection.log | 1 + ...test-security-connection.log-expected.json | 124 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 10 +- .../data_stream/log/sample_event.json | 10 +- packages/cisco_ftd/docs/README.md | 10 +- packages/cisco_ftd/manifest.yml | 2 +- 7 files changed, 146 insertions(+), 16 deletions(-) diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 14a6cf94b3b8..53adbed45870 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.13.2" + changes: + - description: Fix source.bytes and destination.bytes type + type: bugfix + link: https://github.com/elastic/integrations/pull/6929 - version: "2.13.1" changes: - description: Remove Invalid ID diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log index 312450d2381b..c78948cac2fb 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log @@ -12,3 +12,4 @@ Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, Ac 2023-03-27T08:54:54Z %FTD-1-430003: EventPriority: Low, DeviceUUID: 5c120000-ca5e-11e7-ab3c-ad268d8b0000, InstanceID: 5, FirstPacketSecond: 2023-03-27T08:54:54Z, ConnectionID: 56696, AccessControlRuleAction: Block with reset, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 50815, DstPort: 7680, Protocol: tcp, IngressInterface: Inside, EgressInterface: Outside, IngressZone: Inside, EgressZone: Outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: ProductionPolicy, AccessControlRuleName: BlockReset-Policy, Prefilter Policy: Default Prefilter Policy, User: Not Found, Client: Windows Update client, ApplicationProtocol: Windows Update, ConnectionDuration: 0, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 261, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity 2023-03-27T08:55:09Z %FTD-1-430003: EventPriority: Low, DeviceUUID: 5c120000-ca5e-11e7-ab3c-ad268d8b0000, InstanceID: 1, FirstPacketSecond: 2023-03-27T08:54:39Z, ConnectionID: 57475, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 44998, DstPort: 8193, Protocol: tcp, IngressInterface: Outside, EgressInterface: Inside, IngressZone: Outside, EgressZone: Inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: ProductionPolicy, AccessControlRuleName: Exposed-Server1, Prefilter Policy: Default Prefilter Policy, User: PassiveAuth\user2, ConnectionDuration: 30, InitiatorPackets: 4, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity 2023-03-27T12:26:00Z : %FTD-1-430001: DeviceUUID: 00009fd0-de50-11ea-b566-e4821b710000, InstanceID: 8, FirstPacketSecond: 2023-03-27T12:26:00Z, ConnectionID: 1309, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 54967, DstPort: 80, Protocol: tcp, IngressInterface: Inside, EgressInterface: Outside, IngressZone: Inside, EgressZone: Outside, Priority: 3, GID: 119, SID: 6, Revision: 3, Message: (http_inspect) URI has two-byte or three-byte UTF-8 encoding, Classification: Not Suspicious Traffic, User: Not Found, IntrusionPolicy: Inline IPS Policy, ACPolicy: FTD-ACP, AccessControlRuleName: PassRule, NAPPolicy: Balanced Security and Connectivity, InlineResult: Pass, IngressVRF: Global, EgressVRF: Global +2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 3000000000, ResponderBytes: 3000000000, NAPPolicy: Balanced Security and Connectivity \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index 2ca27b02a475..bc7a8840d424 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -1793,6 +1793,130 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", + "cisco": { + "ftd": { + "destination_interface": "outside", + "rule_name": [ + "default", + "Rule-1" + ], + "security": { + "ac_policy": "default", + "access_control_rule_action": "Allow", + "access_control_rule_name": "Rule-1", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "egress_interface": "outside", + "egress_zone": "output-zone", + "ingress_interface": "inside", + "ingress_zone": "input-zone", + "initiator_bytes": "3000000000", + "initiator_packets": "2", + "nap_policy": "Balanced Security and Connectivity", + "prefilter_policy": "Default Prefilter Policy", + "protocol": "tcp", + "responder_bytes": "3000000000", + "responder_packets": "1", + "src_ip": "10.0.1.20", + "src_port": "46000", + "user": "No Authentication Required" + }, + "source_interface": "inside" + } + }, + "destination": { + "address": "81.2.69.144", + "bytes": 3000000000, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 1, + "port": 80 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "connection-started", + "category": [ + "network" + ], + "code": "430002", + "kind": "event", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 3000000000, ResponderBytes: 3000000000, NAPPolicy: Balanced Security and Connectivity", + "outcome": "success", + "severity": 1, + "timezone": "UTC", + "type": [ + "connection", + "start", + "allowed" + ] + }, + "host": { + "hostname": "firepower" + }, + "log": { + "level": "alert" + }, + "network": { + "bytes": 6000000000, + "community_id": "1:Xumx4bGQqJmLtaW2LNJT/b/cOm8=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "firepower", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ] + }, + "rule": { + "name": "Rule-1", + "ruleset": "default" + }, + "source": { + "address": "10.0.1.20", + "bytes": 3000000000, + "ip": "10.0.1.20", + "packets": 2, + "port": 46000 + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index bfd56ff9af02..1cd7c4ebe6c2 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1463,20 +1463,20 @@ processors: value: "{{{event.duration}}}" ignore_empty_value: true # - # Ensure source.bytes is integer + # Ensure source.bytes is long # - convert: if: "ctx.source?.bytes != null" field: "source.bytes" - type: "integer" + type: "long" # - # Ensure destination.bytes is integer + # Ensure destination.bytes is long # - convert: if: "ctx.destination?.bytes != null" field: "destination.bytes" - type: "integer" + type: "long" # # Sum source.bytes and destination.bytes in network.bytes @@ -1484,7 +1484,7 @@ processors: - script: lang: painless source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network != null && ctx.network.bytes == null + if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network?.bytes == null # # Process the flow duration "hh:mm:ss" present in some messages diff --git a/packages/cisco_ftd/data_stream/log/sample_event.json b/packages/cisco_ftd/data_stream/log/sample_event.json index 385d561a26c4..7013a25cfcfe 100644 --- a/packages/cisco_ftd/data_stream/log/sample_event.json +++ b/packages/cisco_ftd/data_stream/log/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "7e826206-b66b-476a-86ca-8bd761f2d874", - "id": "bf696210-9744-4824-b0c0-b6ce31382491", + "ephemeral_id": "563db769-cf4e-4313-8057-387dec8bc049", + "id": "0e4207eb-53e8-488c-9fdf-a120c1c0c5c7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.0.0" @@ -63,7 +63,7 @@ "version": "8.8.0" }, "elastic_agent": { - "id": "bf696210-9744-4824-b0c0-b6ce31382491", + "id": "0e4207eb-53e8-488c-9fdf-a120c1c0c5c7", "snapshot": false, "version": "8.0.0" }, @@ -76,7 +76,7 @@ ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2023-07-06T09:00:39Z", + "ingested": "2023-07-12T06:47:50Z", "kind": "event", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "severity": 1, @@ -102,7 +102,7 @@ "log": { "level": "alert", "source": { - "address": "172.19.0.4:50908" + "address": "172.21.0.4:58166" } }, "network": { diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index ebcef44b5467..3646b284b44d 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -22,8 +22,8 @@ An example event for `log` looks as following: { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "7e826206-b66b-476a-86ca-8bd761f2d874", - "id": "bf696210-9744-4824-b0c0-b6ce31382491", + "ephemeral_id": "563db769-cf4e-4313-8057-387dec8bc049", + "id": "0e4207eb-53e8-488c-9fdf-a120c1c0c5c7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.0.0" @@ -84,7 +84,7 @@ An example event for `log` looks as following: "version": "8.8.0" }, "elastic_agent": { - "id": "bf696210-9744-4824-b0c0-b6ce31382491", + "id": "0e4207eb-53e8-488c-9fdf-a120c1c0c5c7", "snapshot": false, "version": "8.0.0" }, @@ -97,7 +97,7 @@ An example event for `log` looks as following: ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2023-07-06T09:00:39Z", + "ingested": "2023-07-12T06:47:50Z", "kind": "event", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "severity": 1, @@ -123,7 +123,7 @@ An example event for `log` looks as following: "log": { "level": "alert", "source": { - "address": "172.19.0.4:50908" + "address": "172.21.0.4:58166" } }, "network": { diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 1268c6d8d04b..3ccb9be88ce1 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: "2.13.1" +version: "2.13.2" license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration From 43d3ba0422800bfe416bd4a1ef00b78ef2a9f9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Chema=20Mart=C3=ADnez?= Date: Thu, 13 Jul 2023 09:59:56 +0200 Subject: [PATCH 3/4] =?UTF-8?q?[Google=20Workspace]=C2=A0Convert=20visuali?= =?UTF-8?q?sations=20to=20Lens=20(#6914)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Convert Google Workspace visualisations to Lens * Bump integration version * Update changelog * Remove y-axis label in visualisation --- packages/google_workspace/changelog.yml | 5 + ...-3be0b490-3430-11ed-9f31-c9178ccae8cd.json | 392 +++++++++++------- ...-f8210e80-3b28-11ed-8bdd-f5c5df6c1370.json | 287 +++++++++---- ...-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370.json | 3 +- ...-2c40f770-3b24-11ed-8bdd-f5c5df6c1370.json | 3 +- packages/google_workspace/manifest.yml | 2 +- 6 files changed, 452 insertions(+), 240 deletions(-) diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 51bb6594c978..7552c0364920 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.11.0" + changes: + - description: Convert dashboards to Lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/6914 - version: "2.10.0" changes: - description: Ensure event.kind is correctly set for pipeline errors. diff --git a/packages/google_workspace/kibana/dashboard/google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd.json b/packages/google_workspace/kibana/dashboard/google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd.json index 880f8f602ac6..9a28409a0006 100644 --- a/packages/google_workspace/kibana/dashboard/google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd.json +++ b/packages/google_workspace/kibana/dashboard/google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Overview of Google Workspace Rules.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -52,7 +52,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "49d52ffc-77d4-4564-b467-21113069fd3f": { "columnOrder": [ @@ -90,7 +90,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -105,7 +105,7 @@ "panelIndex": "123197a0-8c1a-4b5f-9328-f42cff317429", "title": "Total Severity [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -119,7 +119,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "91b13cbe-d02c-49f3-bdc7-60e804a3576a": { "columnOrder": [ @@ -176,15 +176,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "c792ccd0-e339-4a57-9b77-8ec01540876c" - ], "layerId": "91b13cbe-d02c-49f3-bdc7-60e804a3576a", "layerType": "data", "legendDisplay": "default", - "metric": "fb52ca0a-d8cc-4d5f-83c0-c28cefb0f8ce", + "metrics": [ + "fb52ca0a-d8cc-4d5f-83c0-c28cefb0f8ce" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "c792ccd0-e339-4a57-9b77-8ec01540876c" + ] } ], "shape": "pie" @@ -207,7 +209,7 @@ "panelIndex": "a995f12f-5ce4-4fbf-9d8c-411ee0fe691f", "title": "Distribution of Rules by Severity [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -221,7 +223,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "788b8016-043d-4d6d-945c-3f2e1dc365d3": { "columnOrder": [ @@ -295,7 +297,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetricNew" + "visualizationType": "lnsMetric" }, "enhancements": {} }, @@ -308,7 +310,7 @@ }, "panelIndex": "c82a2b25-eb5e-40b2-b3b2-650d74c936f9", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -322,7 +324,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "568a0980-a917-48ad-bde5-ebb17d8e623a": { "columnOrder": [ @@ -379,15 +381,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "959dbeaa-f55c-45e8-9b38-b98952a1612b" - ], "layerId": "568a0980-a917-48ad-bde5-ebb17d8e623a", "layerType": "data", "legendDisplay": "default", - "metric": "414f2299-b09f-409a-8855-ff346d86f770", + "metrics": [ + "414f2299-b09f-409a-8855-ff346d86f770" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "959dbeaa-f55c-45e8-9b38-b98952a1612b" + ] } ], "shape": "pie" @@ -410,7 +414,7 @@ "panelIndex": "3c4011fa-9c5c-48e6-abae-693bf685851e", "title": "Distribution of Rules by Device Type [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -424,7 +428,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e0b93956-6fd4-4842-a441-e185bd29c77c": { "columnOrder": [ @@ -481,15 +485,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "37b9483a-d496-4993-99e3-a2487dfcc9de" - ], "layerId": "e0b93956-6fd4-4842-a441-e185bd29c77c", "layerType": "data", "legendDisplay": "default", - "metric": "5be194b7-6d94-4677-b820-ebe7fdc33582", + "metrics": [ + "5be194b7-6d94-4677-b820-ebe7fdc33582" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "37b9483a-d496-4993-99e3-a2487dfcc9de" + ] } ], "shape": "pie" @@ -512,7 +518,7 @@ "panelIndex": "6cb8bd6f-be16-43ef-85dc-1f5007ca46ef", "title": "Distribution of Rules by Event Action [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -526,7 +532,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b04c4c24-d9f1-4a60-9b0f-8bd4fb9f80a4": { "columnOrder": [ @@ -583,15 +589,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "087501c1-0b44-4947-824d-23d688acd8b0" - ], "layerId": "b04c4c24-d9f1-4a60-9b0f-8bd4fb9f80a4", "layerType": "data", "legendDisplay": "default", - "metric": "c9367b78-19e4-4f77-aeb3-bc453bc5a289", + "metrics": [ + "c9367b78-19e4-4f77-aeb3-bc453bc5a289" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "087501c1-0b44-4947-824d-23d688acd8b0" + ] } ], "shape": "pie" @@ -614,7 +622,7 @@ "panelIndex": "a2806b00-58d7-4fb8-97c4-59c3da0220a0", "title": "Distribution of Rules by Rule Type [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -628,7 +636,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f2ade8d5-c408-4496-afd1-cecb15659a59": { "columnOrder": [ @@ -739,7 +747,7 @@ "panelIndex": "4e8cd032-411a-4a42-92b4-ee98a8f803af", "title": "Distribution of Rules by Data Source [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -753,7 +761,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "58c070e1-e2d0-4496-8b94-249b85491fb2": { "columnOrder": [ @@ -810,15 +818,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "a87c4d55-df7d-4f2c-9921-aa3749be256e" - ], "layerId": "58c070e1-e2d0-4496-8b94-249b85491fb2", "layerType": "data", "legendDisplay": "default", - "metric": "e5c683c3-dba5-44ca-a638-fe7a80eccee6", + "metrics": [ + "e5c683c3-dba5-44ca-a638-fe7a80eccee6" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "a87c4d55-df7d-4f2c-9921-aa3749be256e" + ] } ], "shape": "pie" @@ -841,7 +851,7 @@ "panelIndex": "554995d9-c1b1-4a58-9bea-a82cefc57583", "title": "Distribution of Rules by Resource Type [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -855,7 +865,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "47571350-d5fe-468c-b53e-aab0f4883775": { "columnOrder": [ @@ -940,7 +950,7 @@ "panelIndex": "1759911d-52c6-4cae-895c-d6bc9c90d8ed", "title": "Top 10 Organization Domain [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -954,7 +964,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c032fb76-0265-4e61-9008-5ae30772f62f": { "columnOrder": [ @@ -1039,7 +1049,7 @@ "panelIndex": "bede3b5c-48c7-48b9-94fd-0d60bcd6761f", "title": "Top 10 User IP [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1053,7 +1063,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2b72303a-7466-4238-acdc-376df532b930": { "columnOrder": [ @@ -1136,130 +1146,217 @@ "panelIndex": "918fbb38-c024-4a02-9451-e24d2f821105", "title": "Top 10 Trigger of the Rule Evaluation [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b54a111e-6e78-4a5f-85f0-25ca75d8a8c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1385e8ae-8493-4b2a-8e9d-0622e3415752", + "type": "index-pattern" } - }, - "description": "", - "id": "", - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "767fa210-34e3-11ed-99ee-6d37de6553b1" - } - ], - "bar_color_rules": [ - { - "id": "7412e7d0-34e3-11ed-99ee-6d37de6553b1" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b54a111e-6e78-4a5f-85f0-25ca75d8a8c0": { + "columnOrder": [ + "6ebec1fd-805f-4a2d-b0a7-d5a4e23aa4d5", + "c4085abf-16cd-4fb5-8149-33f5d9b4f2f0", + "067cca01-9d38-48df-a5d2-130190e2b166", + "7368f97b-373a-4fa9-b67c-76128f9aba27" + ], + "columns": { + "067cca01-9d38-48df-a5d2-130190e2b166": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "google_workspace.rules.severity: \"MEDIUM\"" + }, + "isBucketed": false, + "label": "Medium severity", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6ebec1fd-805f-4a2d-b0a7-d5a4e23aa4d5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "7368f97b-373a-4fa9-b67c-76128f9aba27": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "High severity", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c4085abf-16cd-4fb5-8149-33f5d9b4f2f0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "google_workspace.rules.severity: \"LOW\"" + }, + "isBucketed": false, + "label": "Low severity", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} } - ], - "drop_last_bucket": 0, - "filter": { - "language": "kuery", - "query": "" }, - "gauge_color_rules": [ + "filters": [ { - "id": "789059a0-34e3-11ed-99ee-6d37de6553b1" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "27f31679-7606-4f1e-b1d3-acc503edc784", - "index_pattern_ref_name": "metrics_a770d1b0-ce49-4e7c-9b2f-d61438af1415_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "e8e519c9-71f7-4662-8cbc-7b22c4b7965d", - "label": "Triggered Rules by Severity", - "line_width": 1, - "metrics": [ - { - "agg_with": "noop", - "field": "google_workspace.rules.matched.trigger", - "id": "86d42c61-1989-446d-b39c-638c17283ab1", - "order": "desc", - "type": "cardinality" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" + "$state": { + "store": "appState" }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "series_index_pattern": { - "id": "logs-*" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1385e8ae-8493-4b2a-8e9d-0622e3415752", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "google_workspace.rules" + }, + "type": "phrase" }, - "split_mode": "terms", - "stacked": "none", - "terms_field": "google_workspace.rules.severity", - "terms_size": "10", - "time_range_mode": "entire_time_range" + "query": { + "match_phrase": { + "data_stream.dataset": "google_workspace.rules" + } + } } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "timeseries", - "use_kibana_indexes": true + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c4085abf-16cd-4fb5-8149-33f5d9b4f2f0", + "067cca01-9d38-48df-a5d2-130190e2b166", + "7368f97b-373a-4fa9-b67c-76128f9aba27" + ], + "layerId": "b54a111e-6e78-4a5f-85f0-25ca75d8a8c0", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "6ebec1fd-805f-4a2d-b0a7-d5a4e23aa4d5", + "yConfig": [ + { + "color": "#da8b45", + "forAccessor": "067cca01-9d38-48df-a5d2-130190e2b166" + }, + { + "color": "#e7664c", + "forAccessor": "7368f97b-373a-4fa9-b67c-76128f9aba27" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yTitle": "Count" + } }, "title": "", - "type": "metrics", - "uiState": {} - } + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 18, - "i": "a770d1b0-ce49-4e7c-9b2f-d61438af1415", + "i": "0feb30f3-8ffe-471a-a25d-79b8d1f54d58", "w": 48, "x": 0, "y": 75 }, - "panelIndex": "a770d1b0-ce49-4e7c-9b2f-d61438af1415", + "panelIndex": "0feb30f3-8ffe-471a-a25d-79b8d1f54d58", "title": "Triggered Rules by Severity Over Time [Logs Google Workspace]", - "type": "visualization", - "version": "8.4.0" + "type": "lens", + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Google Workspace] Rules", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-11T10:27:23.321Z", "id": "google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd", "migrationVersion": { - "dashboard": "8.4.0" + "dashboard": "8.7.0" }, "references": [ { @@ -1324,7 +1421,12 @@ }, { "id": "logs-*", - "name": "a770d1b0-ce49-4e7c-9b2f-d61438af1415:metrics_a770d1b0-ce49-4e7c-9b2f-d61438af1415_0_index_pattern", + "name": "0feb30f3-8ffe-471a-a25d-79b8d1f54d58:indexpattern-datasource-layer-b54a111e-6e78-4a5f-85f0-25ca75d8a8c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0feb30f3-8ffe-471a-a25d-79b8d1f54d58:1385e8ae-8493-4b2a-8e9d-0622e3415752", "type": "index-pattern" } ], diff --git a/packages/google_workspace/kibana/dashboard/google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370.json b/packages/google_workspace/kibana/dashboard/google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370.json index a67e31ff9c85..01b9a9e4e296 100644 --- a/packages/google_workspace/kibana/dashboard/google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370.json +++ b/packages/google_workspace/kibana/dashboard/google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Overview of Google Workspace Drive.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -78,7 +78,7 @@ "panelIndex": "88d9b7a3-a631-4079-a36f-0ce9401f59d8", "title": "Drive Activity by Location [Logs Google Workspace]", "type": "map", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -97,7 +97,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "23370ea2-03f9-4302-8b0c-4c4ee6a81318": { "columnOrder": [ @@ -176,15 +176,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d6471b8e-6e22-459d-a682-9b0a04757f64" - ], "layerId": "23370ea2-03f9-4302-8b0c-4c4ee6a81318", "layerType": "data", "legendDisplay": "default", - "metric": "bd04ef7a-ea8e-4f46-b6e7-f824cacc5885", + "metrics": [ + "bd04ef7a-ea8e-4f46-b6e7-f824cacc5885" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d6471b8e-6e22-459d-a682-9b0a04757f64" + ] } ], "shape": "pie" @@ -207,7 +209,7 @@ "panelIndex": "13fdbdfd-2204-42e6-a0df-5ec6abd24eb2", "title": "Distribution of Document Downloads by Title [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -221,7 +223,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "18651fd1-ac7a-4ab0-8610-1e890b4b9846": { "columnOrder": [ @@ -278,15 +280,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "1871eda3-319f-46ab-949b-2e2bf749c54d" - ], "layerId": "18651fd1-ac7a-4ab0-8610-1e890b4b9846", "layerType": "data", "legendDisplay": "default", - "metric": "0aab9f3f-951e-4d6f-8597-64dc7f874ef9", + "metrics": [ + "0aab9f3f-951e-4d6f-8597-64dc7f874ef9" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "1871eda3-319f-46ab-949b-2e2bf749c54d" + ] } ], "shape": "pie" @@ -309,77 +313,175 @@ "panelIndex": "d59d4f9e-73e8-48ab-9f31-3f36a9b49d0e", "title": "Distribution of Drive Events by Event Action [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4721a8fd-d8f8-46c7-bb67-0f58ddcbbf46", + "type": "index-pattern" } - }, - "description": "", - "id": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "drop_last_bucket": 0, - "id": "8b7f0824-9e4a-41c8-b2b9-b0a7d9a00273", - "index_pattern_ref_name": "metrics_f334e21c-1d4d-426c-953e-dbb45d99219e_0_index_pattern", - "interval": "", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "65ff96dc-8f2a-4a60-92a3-ad0f249b245d", - "label": "Country Name", - "line_width": 1, - "metrics": [ - { - "id": "e68be7b0-708a-400b-badb-0175c3224d21", - "type": "count" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4721a8fd-d8f8-46c7-bb67-0f58ddcbbf46": { + "columnOrder": [ + "04a94f43-284c-439c-9334-920d730b9b1e", + "04b9d728-f91c-4086-b0da-97738067fae9", + "b6120c8b-d77d-474e-a750-0c296ba72880" + ], + "columns": { + "04a94f43-284c-439c-9334-920d730b9b1e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "04b9d728-f91c-4086-b0da-97738067fae9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of source.geo.country_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_name" + }, + "b6120c8b-d77d-474e-a750-0c296ba72880": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Country Name", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "source.geo.country_name", - "time_range_mode": "entire_time_range" + } + }, + "textBased": { + "layers": {} } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "timeseries", - "use_kibana_indexes": true + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b6120c8b-d77d-474e-a750-0c296ba72880" + ], + "layerId": "4721a8fd-d8f8-46c7-bb67-0f58ddcbbf46", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "area", + "splitAccessor": "04b9d728-f91c-4086-b0da-97738067fae9", + "xAccessor": "04a94f43-284c-439c-9334-920d730b9b1e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "b6120c8b-d77d-474e-a750-0c296ba72880" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "title": "", - "type": "metrics", - "uiState": {} - } + "title": "Drive Activity by Country Over Time [Logs Google Workspace] (converted)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 15, @@ -390,8 +492,8 @@ }, "panelIndex": "f334e21c-1d4d-426c-953e-dbb45d99219e", "title": "Drive Activity by Country Over Time [Logs Google Workspace]", - "type": "visualization", - "version": "8.4.0" + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -410,7 +512,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "aacc9a6c-42f7-426a-b5c2-030c3d002d6e": { "columnOrder": [ @@ -517,7 +619,7 @@ "panelIndex": "5abea4dd-c858-4dfd-bc80-d949ef49a10b", "title": "Top 10 Uploads by Title [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -531,7 +633,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "065ef144-3d40-40fa-ba4a-df4b27642fff": { "columnOrder": [ @@ -644,7 +746,7 @@ "panelIndex": "4bc634ec-bd01-47a4-9f99-5e43edc2de2a", "title": "Distribution of Drive Events by Document Type [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -663,7 +765,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "944c8671-ceff-4edc-b04e-850f6442d26a": { "columnOrder": [ @@ -770,7 +872,7 @@ "panelIndex": "2606ea99-ab2d-4a46-9528-f254bd341971", "title": "Top 10 Viewed Documents [Logs Google Workspace]", "type": "lens", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -786,7 +888,7 @@ "panelIndex": "c0550726-6ce7-4d12-a078-3903beb1b4f8", "panelRefName": "panel_c0550726-6ce7-4d12-a078-3903beb1b4f8", "type": "search", - "version": "8.4.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -802,17 +904,18 @@ "panelIndex": "cb11b1b1-3767-4eeb-92b3-b05d38a01d78", "panelRefName": "panel_cb11b1b1-3767-4eeb-92b3-b05d38a01d78", "type": "search", - "version": "8.4.0" + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Google Workspace] Drive", "version": 1 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-12T11:52:52.520Z", "id": "google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370", "migrationVersion": { - "dashboard": "8.4.0" + "dashboard": "8.7.0" }, "references": [ { @@ -842,7 +945,7 @@ }, { "id": "logs-*", - "name": "f334e21c-1d4d-426c-953e-dbb45d99219e:metrics_f334e21c-1d4d-426c-953e-dbb45d99219e_0_index_pattern", + "name": "f334e21c-1d4d-426c-953e-dbb45d99219e:indexpattern-datasource-layer-4721a8fd-d8f8-46c7-bb67-0f58ddcbbf46", "type": "index-pattern" }, { diff --git a/packages/google_workspace/kibana/search/google_workspace-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370.json b/packages/google_workspace/kibana/search/google_workspace-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370.json index 2509c306b59f..82bce8d63c87 100644 --- a/packages/google_workspace/kibana/search/google_workspace-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370.json +++ b/packages/google_workspace/kibana/search/google_workspace-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370.json @@ -78,7 +78,8 @@ ], "title": "Documents Shared Outside of the Organization [Logs Google Workspace]" }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-12T11:50:53.983Z", "id": "google_workspace-1cac9ed0-3b2f-11ed-8bdd-f5c5df6c1370", "migrationVersion": { "search": "8.0.0" diff --git a/packages/google_workspace/kibana/search/google_workspace-2c40f770-3b24-11ed-8bdd-f5c5df6c1370.json b/packages/google_workspace/kibana/search/google_workspace-2c40f770-3b24-11ed-8bdd-f5c5df6c1370.json index 06f9d398bb0f..89b39c57f5d1 100644 --- a/packages/google_workspace/kibana/search/google_workspace-2c40f770-3b24-11ed-8bdd-f5c5df6c1370.json +++ b/packages/google_workspace/kibana/search/google_workspace-2c40f770-3b24-11ed-8bdd-f5c5df6c1370.json @@ -78,7 +78,8 @@ ], "title": "ACL Changes [Logs Google Workspace]" }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-12T11:50:53.983Z", "id": "google_workspace-2c40f770-3b24-11ed-8bdd-f5c5df6c1370", "migrationVersion": { "search": "8.0.0" diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index 10fdc53a45f9..d6e86418477a 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.10.0" +version: "2.11.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. From 6f4eebb3fce1270edbbd9e2099a739fa2420af23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 11:22:44 +0200 Subject: [PATCH 4/4] build(deps): bump github.com/elastic/elastic-package (#6935) Bumps [github.com/elastic/elastic-package](https://github.com/elastic/elastic-package) from 0.83.2 to 0.84.0. - [Release notes](https://github.com/elastic/elastic-package/releases) - [Changelog](https://github.com/elastic/elastic-package/blob/main/.goreleaser.yml) - [Commits](https://github.com/elastic/elastic-package/compare/v0.83.2...v0.84.0) --- updated-dependencies: - dependency-name: github.com/elastic/elastic-package dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 11 +++++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 524106c342be..a5720de31c0d 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.19 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.83.2 + github.com/elastic/elastic-package v0.84.0 github.com/elastic/go-licenser v0.4.1 github.com/elastic/package-registry v1.20.0 github.com/magefile/mage v1.15.0 @@ -135,7 +135,7 @@ require ( github.com/prometheus/procfs v0.9.0 // indirect github.com/rivo/uniseg v0.4.3 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shirou/gopsutil/v3 v3.23.5 // indirect + github.com/shirou/gopsutil/v3 v3.23.6 // indirect github.com/shoenig/go-m1cpu v0.1.6 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.9.0 // indirect diff --git a/go.sum b/go.sum index 91c97609a8c9..f5e24b3a2232 100644 --- a/go.sum +++ b/go.sum @@ -99,8 +99,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0 h1:Me2T3/O4nASmdjmfaKYaiJaGq8zVhasjfZi3il5p/gs= github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0/go.mod h1:uf9N86y+UACGybdEhZLpwZ93XHWVhsYZAA4c2T2v6YM= -github.com/elastic/elastic-package v0.83.2 h1:XEJZd6XeV1zds34gsFSZnwz06K8B/6k/NL58hBGnXuM= -github.com/elastic/elastic-package v0.83.2/go.mod h1:gcJ1Gy2P4DY1ww4T4PHhlNIgUwMP+IPlqIbAhcm9ixo= +github.com/elastic/elastic-package v0.84.0 h1:nDQuG+AyuBaNylVSRao56y6SEeHwBtLk7EQcBsz9VNw= +github.com/elastic/elastic-package v0.84.0/go.mod h1:stTYKmF5eraj38jN8WgZGF2XOt5XOs/vEqm3Lacmw98= github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo= github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.4.0/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= @@ -394,8 +394,8 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= -github.com/shirou/gopsutil/v3 v3.23.5 h1:5SgDCeQ0KW0S4N0znjeM/eFHXXOKyv2dVNgRq/c9P6Y= -github.com/shirou/gopsutil/v3 v3.23.5/go.mod h1:Ng3Maa27Q2KARVJ0SPZF5NdrQSC3XHKP8IIWrHgMeLY= +github.com/shirou/gopsutil/v3 v3.23.6 h1:5y46WPI9QBKBbK7EEccUPNXpJpNrvPuTD0O2zHEHT08= +github.com/shirou/gopsutil/v3 v3.23.6/go.mod h1:j7QX50DrXYggrpN30W0Mo+I4/8U2UUIQrnrhqUeWrAU= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU= @@ -427,7 +427,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= @@ -588,7 +587,7 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=